Skip to content

Commit a20ffa2

Browse files
authored
fix: pin third-party actions and trust docker publisher (#891)
## Summary - Pin `dorny/paths-filter`, `softprops/action-gh-release`, and `peter-evans/repository-dispatch` to full commit SHAs for supply chain security - Add `docker` to `TRUSTED_PUBLISHERS` in `scripts/audit_actions.ts` so `docker/*` actions are accepted with tag-only pins ## Test Plan - `deno fmt --check`, `deno lint`, and `deno run test` all pass - CI security review should no longer flag unpinned third-party actions
1 parent c0abc5a commit a20ffa2

File tree

3 files changed

+4
-3
lines changed

3 files changed

+4
-3
lines changed

.github/workflows/ci.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ jobs:
2222
uses: actions/checkout@v4
2323

2424
- name: Check for changes
25-
uses: dorny/paths-filter@v3
25+
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
2626
id: filter
2727
with:
2828
filters: |

.github/workflows/release.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -143,7 +143,7 @@ jobs:
143143
} >> /tmp/release_body.md
144144
145145
- name: Create GitHub Release
146-
uses: softprops/action-gh-release@v2
146+
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
147147
with:
148148
tag_name: v${{ steps.version.outputs.version }}
149149
name: swamp ${{ steps.version.outputs.version }}
@@ -159,7 +159,7 @@ jobs:
159159
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
160160

161161
- name: Trigger UAT
162-
uses: peter-evans/repository-dispatch@v3
162+
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3
163163
with:
164164
token: ${{ secrets.UAT_TRIGGER_TOKEN }}
165165
repository: systeminit/swamp-uat

scripts/audit_actions.ts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,7 @@ const TRUSTED_PUBLISHERS = new Set([
5858
"actions",
5959
"anthropics",
6060
"denoland",
61+
"docker",
6162
"github",
6263
]);
6364

0 commit comments

Comments
 (0)