Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add optional lint to require that actions are pinned to commit hashes #436

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add optional lint to require that actions are pinned to commit hashes #436

wants to merge 3 commits into from

Conversation

mortenson
Copy link

This PR addresses the "Pin Actions to a full length commit SHA" part of #198 by optionally enforcing that actions are pinned to (full) commit hashes.

This can be enabled by setting require-commit-hash to true in actionlint.yaml.

I haven't contributed to this repo before, so please let me know if you'd like any changes!

mortenson
mortenson commented Jun 24, 2024
View reviewed changes
rule_action.go
@@ -284,6 +285,10 @@ var BrandingIcons = map[string]struct{}{
"zoom-out": {},
}

var hashRegex = regexp.MustCompile("^[0-9a-f]{40}$")
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could use short hashes as well, but I was almost certain that would conflict with branch names so this seems better.

ChrisCarini
ChrisCarini approved these changes Jun 26, 2024
View reviewed changes
Copy link
Contributor

@ChrisCarini ChrisCarini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! 🎉 👏

Looking forward to seeing this feature incorporated since it is a recommended 'security hardening' best-practice that GitHub states: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

@mortenson
Copy link
Author

@rhysd what do you think? Viable and/or any changes you'd suggest?

@Elfo404 Elfo404 mentioned this pull request Oct 15, 2024
Open
@rhysd rhysd force-pushed the main branch 2 times, most recently from 05e056b to 5aaa4ce Compare November 12, 2024 16:13
@czeslavo czeslavo mentioned this pull request Jan 9, 2025
Merged
1 task
@pmalek
Copy link

pmalek commented Jan 9, 2025

@mortenson any chance on moving this forward? That's a very nice addition that we'd like to use.

@mortenson
Copy link
Author

@pmalek I'm not a maintainer but I've just resolved merge conflicts if @rhysd has time to review 😺

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChrisCarini ChrisCarini ChrisCarini approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mortenson @pmalek @ChrisCarini