diff options
| author | Yuriy Andamasov <yuriy@vyos.io> | 2026-05-14 00:50:16 +0300 |
|---|---|---|
| committer | Yuriy Andamasov <yuriy@vyos.io> | 2026-05-14 00:50:16 +0300 |
| commit | e99182b911dbe9d3a3f02e000426f7075cadc608 (patch) | |
| tree | b552493e9e5d04268fb36253f1cbafa62b363f27 /.github | |
| parent | 1ef5684729646ca3a24aff83ab8edd0aa57914c7 (diff) | |
| download | vyos-documentation-e99182b911dbe9d3a3f02e000426f7075cadc608.tar.gz vyos-documentation-e99182b911dbe9d3a3f02e000426f7075cadc608.zip | |
ci(lint-doc): pin all GitHub Actions to commit SHAs
Each `uses:` line was pinned to a mutable version tag (`@v6`,
`@v0.8.4`, …). Tags can be rewritten to point to malicious code —
CVE-2025-30066 (reviewdog/action-setup) and the tj-actions/changed-files
incident in 2025 are the canonical real-world examples. GitHub's
hardening guide for Actions recommends pinning to full-length commit
SHAs and keeping the tag as a trailing comment for human readability.
Resolved each action's tag to its commit SHA via `gh api
/repos/<repo>/git/refs/tags/<tag>` and verified the SHA is a commit
(not an annotated-tag object) via `gh api
/repos/<repo>/git/commits/<sha>`:
- actions/checkout v6 -> de0fac2e4500dabe0009e67214ff5f5447ce83dd
- bullfrogsec/bullfrog v0.8.4 -> 1831f79cce8ad602eef14d2163873f27081ebfb3
- trilom/file-changes-action v1.2.4 -> a6ca26c14274c33b15e6499323aac178af06ad4b
- actions/setup-python v6 -> a309ff8b426b58ec0e2a45f0f869d46889d02405
This change covers `lint-doc.yml` only. A fleet-wide sweep across
every workflow in `.github/workflows/` is a separate effort —
worth doing because the drift / supply-chain risk is the same in
every one. Tracked as a follow-up to this PR's review.
Tracked as item 11 of the rolling-side cleanup backlog from PR #2014
/ #2019 / #2020 reviews.
🤖 Generated by [robots](https://vyos.io)
Diffstat (limited to '.github')
| -rw-r--r-- | .github/workflows/lint-doc.yml | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/.github/workflows/lint-doc.yml b/.github/workflows/lint-doc.yml index eb7386d0..0bd7a197 100644 --- a/.github/workflows/lint-doc.yml +++ b/.github/workflows/lint-doc.yml @@ -11,20 +11,20 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Bullfrog Secure Runner continue-on-error: true - uses: bullfrogsec/bullfrog@v0.8.4 + uses: bullfrogsec/bullfrog@1831f79cce8ad602eef14d2163873f27081ebfb3 # v0.8.4 with: egress-policy: audit - name: Get File Changes id: file_changes - uses: trilom/file-changes-action@v1.2.4 + uses: trilom/file-changes-action@a6ca26c14274c33b15e6499323aac178af06ad4b # v1.2.4 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.x' |
