From 44d99095488d106293de0c1b2d1d44f1e5bd2919 Mon Sep 17 00:00:00 2001 From: Nicholas La Roux Date: Sun, 17 Aug 2025 22:59:24 -0400 Subject: [PATCH] Lock GitHub Actions dependencies to SHAs for security and predictability Locking to SHAs is best practice for security and predictability as we know exactly which version is being used. Without locking to SHAs, Actions will simply use whatever latest version is available for the given specified version, usually a major such as "v4", leading to "silent bumps" at the runtime level of sorts. Locking to SHAs will also allow us to receive patch and minor level dependency upgrade PRs as opposed to, in most cases, just bumps for major versions. --- .github/workflows/danger.yml | 4 ++-- .github/workflows/docker.yml | 2 +- .github/workflows/lint.yml | 24 ++++++++++++------------ .github/workflows/tests.yml | 12 ++++++------ 4 files changed, 21 insertions(+), 21 deletions(-) diff --git a/.github/workflows/danger.yml b/.github/workflows/danger.yml index b87be4477..5dee491e8 100644 --- a/.github/workflows/danger.yml +++ b/.github/workflows/danger.yml @@ -14,11 +14,11 @@ jobs: timeout-minutes: 10 steps: - name: Check out code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 - name: Setup ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@829114fc20da43a41d27359103ec7a63020954d4 # v1.255.0 with: ruby-version: 3.2 rubygems: 3.4.10 diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 3632d7811..16122c286 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -12,7 +12,7 @@ jobs: timeout-minutes: 20 steps: - name: Checkout source - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Poke config run: | cp config/example.storage.yml config/storage.yml diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 3e466f25a..0087b029b 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -14,9 +14,9 @@ jobs: timeout-minutes: 10 steps: - name: Check out code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Setup ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@829114fc20da43a41d27359103ec7a63020954d4 # v1.255.0 with: ruby-version: ${{ env.ruby }} rubygems: 3.4.10 @@ -29,9 +29,9 @@ jobs: timeout-minutes: 10 steps: - name: Check out code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Setup ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@829114fc20da43a41d27359103ec7a63020954d4 # v1.255.0 with: ruby-version: ${{ env.ruby }} rubygems: 3.4.10 @@ -44,15 +44,15 @@ jobs: timeout-minutes: 10 steps: - name: Check out code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Setup ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@829114fc20da43a41d27359103ec7a63020954d4 # v1.255.0 with: ruby-version: ${{ env.ruby }} rubygems: 3.4.10 bundler-cache: true - name: Cache node modules - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: cache: yarn - name: Install node modules @@ -67,9 +67,9 @@ jobs: timeout-minutes: 10 steps: - name: Check out code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Setup ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@829114fc20da43a41d27359103ec7a63020954d4 # v1.255.0 with: ruby-version: ${{ env.ruby }} rubygems: 3.4.10 @@ -84,9 +84,9 @@ jobs: timeout-minutes: 10 steps: - name: Check out code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Setup ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@829114fc20da43a41d27359103ec7a63020954d4 # v1.255.0 with: ruby-version: ${{ env.ruby }} rubygems: 3.4.10 @@ -96,7 +96,7 @@ jobs: cp config/github.database.yml config/database.yml cp config/example.storage.yml config/storage.yml - name: Cache node modules - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: cache: yarn - name: Install node modules diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 2428a7628..e4c4151ec 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -18,15 +18,15 @@ jobs: timeout-minutes: 20 steps: - name: Checkout source - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Setup ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@829114fc20da43a41d27359103ec7a63020954d4 # v1.255.0 with: ruby-version: ${{ matrix.ruby }} rubygems: 3.4.10 bundler-cache: true - name: Cache node modules - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: cache: yarn - name: Install packages @@ -64,14 +64,14 @@ jobs: - name: Run javascript tests run: bundle exec teaspoon - name: Upload screenshots - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: failure() with: name: screenshots path: tmp/screenshots if-no-files-found: ignore - name: Report completion to Coveralls - uses: coverallsapp/github-action@v2.3.6 + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6 with: github-token: ${{ secrets.github_token }} flag-name: ruby-${{ matrix.ruby }} @@ -84,7 +84,7 @@ jobs: timeout-minutes: 1 steps: - name: Report completion to Coveralls - uses: coverallsapp/github-action@v2.3.6 + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6 with: github-token: ${{ secrets.github_token }} parallel-finished: true -- 2.39.5