-
Notifications
You must be signed in to change notification settings - Fork 20.6k
Build: Reference GitHub Actions by commit SHAs #5269
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/actions/checkout/releases/tag/v3.5.2 actions/checkout@8e5e7e5 https://github.com/github/codeql-action/releases/tag/v2.3.6 github/codeql-action@83f0fe6 Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/actions/checkout/releases/tag/v3.5.2 actions/checkout@8e5e7e5 https://github.com/actions/cache/releases/tag/v3.3.1 actions/cache@88522ab https://github.com/actions/setup-node/releases/tag/v3.6.0 actions/setup-node@64ed1c7 Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
Thank you! Please sign the CLA. |
@gabibguti Ping. Please sign the OpenJSF CLA, we cannot merge the PR otherwise. |
Hi @mgol! Thanks for the reminder. I'm checking internally with Google if I can sign the CLA. |
I see. If you're submitting this on company time, I think you'll need to chose the "Proceed as a Corporate Contributor" button. |
@mgol Done! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
The SHAs are verified to come from the original repositories and not forks. For reference: https://github.com/actions/checkout/releases/tag/v3.5.2 actions/checkout@8e5e7e5 https://github.com/actions/cache/releases/tag/v3.3.1 actions/cache@88522ab https://github.com/actions/setup-node/releases/tag/v3.6.0 actions/setup-node@64ed1c7 Fixes gh-5266 Closes gh-5269 Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> (cherry picked from commit 784b9ba)
Summary
Resolves #5266
It's important to make sure the SHA's are from the original repositories and not forks. I have manually verified all of them and added references in the commit descriptions.
Checklist