You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This adds the helpers:pinGitHubActionDigests configuration1. It will pin GitHub actions tags to digests. For example actions/checkout@v3.0.2 would become actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
This is recommended by GitHub's security hardening for GitHub actions guide2:
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
This adds the
helpers:pinGitHubActionDigests
configuration1. It will pin GitHub actions tags to digests. For exampleactions/checkout@v3.0.2
would becomeactions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
This is recommended by GitHub's security hardening for GitHub actions guide2:
Context
Inspired by: octokit/.github#9
Footnotes
Footnotes
https://docs.renovatebot.com/presets-helpers/#helperspingithubactiondigests ↩ ↩
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions ↩ ↩
The text was updated successfully, but these errors were encountered: