Skip to content

Using commit hashes rather than static versions in GHA #232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jsphwhereby wants to merge 1 commit into from
Closed

Using commit hashes rather than static versions in GHA #232

jsphwhereby wants to merge 1 commit into from

Conversation

@jsphwhereby
Copy link

@jsphwhereby jsphwhereby commented Apr 1, 2025

Description

Summary:

Following the incident regarding tj-actions we have decided to use commit hashes rather than static versions in our GHAs.

Related Issue:

https://linear.app/whereby/issue/BATT-824/pin-external-github-actions-down-by-commit-hash-rather-than-release

Testing

No changes, the version is the same as the commit hash, this just prevents versions from being overridden with malicious code.

Screenshots/GIFs (if applicable)

Checklist

  • My code follows the project's coding standards.
  • I have written unit tests (if applicable).
  • I have updated the documentation (if applicable).
  • By submitting this pull request, I confirm that my contribution is made
    under the terms of the MIT license.

Dependency Updates

Reviewers

@havardholvik
@kevinwhereby
@nandito
@thyal

Additional Information

@jsphwhereby jsphwhereby changed the title Using commit hashes rather than static versions in GHA #22 Using commit hashes rather than static versions in GHA Apr 1, 2025
@kevinwhereby
Copy link
Contributor

kevinwhereby commented Apr 1, 2025

I believe this repo is no longer used, it can probably be archived actually right @thyal ?

@thyal
Copy link
Contributor

thyal commented Apr 1, 2025

I believe this repo is no longer used, it can probably be archived actually right @thyal ?

Correct.

@jsphwhereby
Copy link
Author

jsphwhereby commented Apr 1, 2025

I believe this repo is no longer used, it can probably be archived actually right @thyal ?

Correct.

Makes me job easier, thanks guys :)

@jsphwhereby jsphwhereby closed this Apr 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jsphwhereby @kevinwhereby @thyal