Skip to content

Pin down GHA to SHA references to prevent compromise#172

Merged
knuton merged 1 commit intodividat:mainfrom
yfyf:pin-down-gha
Apr 28, 2026
Merged

Pin down GHA to SHA references to prevent compromise#172
knuton merged 1 commit intodividat:mainfrom
yfyf:pin-down-gha

Conversation

@yfyf
Copy link
Copy Markdown
Contributor

@yfyf yfyf commented Apr 24, 2026

Same as dividat/playos#339

Btw, discovered a nice tool for automating this (after doing nearly all of it by hand...): https://github.com/sethvargo/ratchet

@yfyf yfyf requested a review from knuton April 24, 2026 11:59
@yfyf yfyf added the reviewable Ready for initial or iterative review. label Apr 24, 2026
knuton
knuton approved these changes Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@knuton knuton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

In the meantime, cachix/install-nix-action@v31 resolves to a newer commit:

bash resolve-gh-ref.bash cachix/install-nix-action@v31
Fetching commit info for cachix/install-nix-action at v31...
--------------------------------------------------
Author:  sander <hey@sandydoo.me>
Date:    2026-04-13T10:46:50Z
URL:     https://github.com/cachix/install-nix-action/commit/ab739621df7a23f52766f9ccc97f38da6b7af14f
--------------------------------------------------
Merge pull request #274 from cachix/create-pull-request/patch

That seems fine.

@knuton knuton removed the reviewable Ready for initial or iterative review. label Apr 28, 2026
@knuton knuton merged commit 0312f4d into dividat:main Apr 28, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knuton knuton knuton approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yfyf @knuton