Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Supply chain hardening #1402

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

MadsRC
Copy link

@MadsRC MadsRC commented Mar 22, 2025

Fixes Or Enhances

This PR pins the versions of the various GitHub Actions used throughout this project.

Why pin?

Version pinning is an essential security control to defend against supply chain attacks. Recently, a well-known GitHub Action (tj-actions/changed-files) was compromised to leak secrets. Such an attack would be not be successfull if downstream users had pinned their dependencies. More info can be defined here: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

Additional information about pinning GitHub Actions can be found here: https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide

Updates

Dependabot is compatible with pinning GitHub Actions and will submit back PR's with new versions pinned. Additionally it should add a comment to the end of the hash (like I've done in the code) so show exactly what version is being used.

Make sure that you've checked the boxes below before you submit PR:

  • Tests exist or have been written that cover this particular change.

@go-playground/validator-maintainers

NOTE: This PR includes changes from PR #1372, meaning that one should probably be merged first.

@MadsRC MadsRC requested a review from a team as a code owner March 22, 2025 13:23
@coveralls
Copy link

Coverage Status

coverage: 74.245% (+0.004%) from 74.241%
when pulling 07fa455 on MadsRC:supplyChainHardening
into 8592022 on go-playground:master.

@nodivbyzero
Copy link
Contributor

Thanks for the effort on this!
Please try to keep PRs focused on a single feature or change.
Smaller, more focused PRs are easier to review and get merged faster.

Let’s break this down if possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants