Pin actions/github-script to commit SHA in first-time-contributor workflow#6730
Pin actions/github-script to commit SHA in first-time-contributor workflow#6730harshitghagre wants to merge 2 commits intopipe-cd:masterfrom
Conversation
…kflow Signed-off-by: harshitghagre <harshitghagre183@gmail.com>
eeshaanSA
left a comment
eeshaanSA
left a comment
There was a problem hiding this comment.
Hey @harshitghagre, have you verified this SHA?
Yes @eeshaanSA , I verified it. |
Ayushmore1214
left a comment
Ayushmore1214
left a comment
There was a problem hiding this comment.
@harshitghagre looks good to me can we check it running once locally, if it works or fails ?
|
@harshitghagre Plz get assigned to the issue first before opening a PR, discuss your idea or suggestion in the issue thread so other people can also learn for it as at last open source is all about learning, let it be for now as you are new contributor here but mind it next time, keep going you are doing good!!! |
|
Thanks @Ayushmore1214 for the heads up! I'll make sure to get assigned on the issue first and discuss my approach before opening PRs going forward. Appreciate the guidance 🙏 |
@Ayushmore1214 I can’t test this locally because it needs the GitHub environment. I checked the SHA using |
3 participants
What this PR does:
Pins
actions/github-scriptfrom the mutable tag@v7to its commit SHAf28e40c7f34bde8b3046d885e986cb6290c5673bin thefirst-time-contributor.yamlworkflow. This follows the same convention used by other actions in this repo.
Why we need it:
The workflow currently fails for every first-time contributor because
actions/github-script@v7is not in the repository's allowed GitHub Actions list.Pinning to a commit SHA is a prerequisite for adding it to the allowed list, and
also improves security by preventing supply-chain attacks via mutable tags.
Which issue(s) this PR fixes:
Fixes #6726
Does this PR introduce a user-facing change?:
bot will start working again for new contributors once the SHA is added to the
allowed list.