summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYuriy Andamasov <yuriy@vyos.io>2026-05-14 00:50:16 +0300
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2026-05-14 05:08:38 +0000
commit1c7ce94eae1914b32f5dc8f9cdcd2ad203c2fdf7 (patch)
treec3c38a3eab8462a9cf36d861630ad2d4d8b60593
parent628eb360bd84f45cdf4247cd3d1e102fe30bfc45 (diff)
downloadvyos-documentation-1c7ce94eae1914b32f5dc8f9cdcd2ad203c2fdf7.tar.gz
vyos-documentation-1c7ce94eae1914b32f5dc8f9cdcd2ad203c2fdf7.zip
ci(lint-doc): pin all GitHub Actions to commit SHAs
Each `uses:` line was pinned to a mutable version tag (`@v6`, `@v0.8.4`, …). Tags can be rewritten to point to malicious code — CVE-2025-30066 (reviewdog/action-setup) and the tj-actions/changed-files incident in 2025 are the canonical real-world examples. GitHub's hardening guide for Actions recommends pinning to full-length commit SHAs and keeping the tag as a trailing comment for human readability. Resolved each action's tag to its commit SHA via `gh api /repos/<repo>/git/refs/tags/<tag>` and verified the SHA is a commit (not an annotated-tag object) via `gh api /repos/<repo>/git/commits/<sha>`: - actions/checkout v6 -> de0fac2e4500dabe0009e67214ff5f5447ce83dd - bullfrogsec/bullfrog v0.8.4 -> 1831f79cce8ad602eef14d2163873f27081ebfb3 - trilom/file-changes-action v1.2.4 -> a6ca26c14274c33b15e6499323aac178af06ad4b - actions/setup-python v6 -> a309ff8b426b58ec0e2a45f0f869d46889d02405 This change covers `lint-doc.yml` only. A fleet-wide sweep across every workflow in `.github/workflows/` is a separate effort — worth doing because the drift / supply-chain risk is the same in every one. Tracked as a follow-up to this PR's review. Tracked as item 11 of the rolling-side cleanup backlog from PR #2014 / #2019 / #2020 reviews. 🤖 Generated by [robots](https://vyos.io) (cherry picked from commit e99182b911dbe9d3a3f02e000426f7075cadc608)
-rw-r--r--.github/workflows/lint-doc.yml8
1 files changed, 4 insertions, 4 deletions
diff --git a/.github/workflows/lint-doc.yml b/.github/workflows/lint-doc.yml
index eb7386d0..0bd7a197 100644
--- a/.github/workflows/lint-doc.yml
+++ b/.github/workflows/lint-doc.yml
@@ -11,20 +11,20 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
- uses: actions/checkout@v6
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Bullfrog Secure Runner
continue-on-error: true
- uses: bullfrogsec/bullfrog@v0.8.4
+ uses: bullfrogsec/bullfrog@1831f79cce8ad602eef14d2163873f27081ebfb3 # v0.8.4
with:
egress-policy: audit
- name: Get File Changes
id: file_changes
- uses: trilom/file-changes-action@v1.2.4
+ uses: trilom/file-changes-action@a6ca26c14274c33b15e6499323aac178af06ad4b # v1.2.4
- name: Set up Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: '3.x'