Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Securely pin node version #1260

Open
ned opened this issue Mar 27, 2025 · 1 comment
Open

Securely pin node version #1260

ned opened this issue Mar 27, 2025 · 1 comment
Labels
feature request New feature or request to improve the current logic

Comments

@ned
Copy link

ned commented Mar 27, 2025

Description:
Allow specifying the sha256 of the node binary in addition to the node version. If the asset fails to match the expected sha256, we should error.
If specifying the sha256 is not feasible, we could allow specifying the git commit of the release (https://github.com/actions/node-versions/releases).

Justification:
Ensure that any 3rd party code that runs in GitHub actions is locked down to known hashes.

Are you willing to submit a PR?
Yes, once the details are ironed out.
@ned ned added feature request New feature or request to improve the current logic needs triage labels Mar 27, 2025
@suyashgaonkar
Copy link
Contributor

Hi @ned , Thank you for creating this feature request. We will investigate it and provide feedback as soon as we have some updates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request New feature or request to improve the current logic
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ned @suyashgaonkar