chore(ci): pin all GitHub Actions to full-length commit SHAs#422
Merged
Conversation
Following GitHub's hardening guide, pin every third-party (and first-party) action used in workflows to a full 40-char commit SHA, with a version comment for human readability. This protects against supply-chain attacks where a tag could be silently re-pointed to a malicious commit. Pinned actions: - actions/checkout (v4.3.1) - actions/setup-go (v5.6.0) - actions/cache (v4.3.0) - actions/setup-node (v4.4.0) - dart-lang/setup-dart (v1.7.2) - nanasess/setup-chromedriver (v2.2.2) - golangci/golangci-lint-action (v7.0.1) - goreleaser/goreleaser-action (v5.0.0) 対象ファイル: - .github/workflows/go.yml - .github/workflows/linter.yml - .github/workflows/release.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pin every GitHub Actions reference in
.github/workflows/to a full 40-character commit SHA, following GitHub's hardening guide. This protects against supply-chain attacks where a Git tag could be silently re-pointed to a malicious commit.Why
Third-party actions (and even first-party ones) are pinned by tag (
@v4) by default, but Git tags are mutable. A compromised maintainer or a successful credential-theft can repoint a tag to malicious code, and every CI run pulling@v4would silently execute it. Pinning to a commit SHA makes this impossible — the SHA is content-addressed.Changes
actions/checkout34e114876b0b11c390a56381ad16ebd13914f8d5actions/setup-go40f1582b2485089dde7abd97c1529aa768e1baffactions/cache0057852bfaa89a56745cba8c7296529d2fc39830actions/setup-node49933ea5288caeca8642d1e84afbd3f7d6820020dart-lang/setup-dart65eb853c7ba17dde3be364c3d2858773e7144260nanasess/setup-chromedriver42cc2998329f041de87dc3cfa33a930eacd57eaagolangci/golangci-lint-action9fae48acfc02a90574d7c304a1758ef9895495fagoreleaser/goreleaser-action7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8Files touched:
.github/workflows/go.yml.github/workflows/linter.yml.github/workflows/release.ymlTest plan
grep -E "@[0-9a-f]{40}" .github/workflows/*.ymlshows everyuses:line pinned to a full SHAgrep -v "@[0-9a-f]{40}"で 0 件)