]> git.openstreetmap.org Git - rails.git/commit
projects / rails.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7e12fb5) | patch
Lock GitHub Actions dependencies to SHAs for security and predictability
authorNicholas La Roux <larouxn@gmail.com>
Mon, 18 Aug 2025 02:59:24 +0000 (22:59 -0400)
committerNicholas La Roux <larouxn@gmail.com>
Mon, 18 Aug 2025 02:59:27 +0000 (22:59 -0400)
commit44d99095488d106293de0c1b2d1d44f1e5bd2919
tree71a4f0d8e459e85202ed226a8726515fcab73213tree | snapshot
parent7e12fb5e70f5f508f155734b59b918ade40b038ecommit | diff
Lock GitHub Actions dependencies to SHAs for security and predictability

Locking to SHAs is best practice for security and predictability as we know exactly which version is being used. Without locking to SHAs, Actions will simply use whatever latest version is available for the given specified version, usually a major such as "v4", leading to "silent bumps" at the runtime level of sorts.

Locking to SHAs will also allow us to receive patch and minor level dependency upgrade PRs as opposed to, in most cases, just bumps for major versions.
.github/workflows/danger.yml diff | blob | history
.github/workflows/docker.yml diff | blob | history
.github/workflows/lint.yml diff | blob | history
.github/workflows/tests.yml diff | blob | history
The OpenStreetMap web site