summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYuriy Andamasov <yuriy@vyos.io>2026-05-14 00:50:16 +0300
committerYuriy Andamasov <yuriy@vyos.io>2026-05-14 00:50:16 +0300
commite99182b911dbe9d3a3f02e000426f7075cadc608 (patch)
treeb552493e9e5d04268fb36253f1cbafa62b363f27
parent1ef5684729646ca3a24aff83ab8edd0aa57914c7 (diff)
downloadvyos-documentation-e99182b911dbe9d3a3f02e000426f7075cadc608.tar.gz
vyos-documentation-e99182b911dbe9d3a3f02e000426f7075cadc608.zip
ci(lint-doc): pin all GitHub Actions to commit SHAs
Each `uses:` line was pinned to a mutable version tag (`@v6`, `@v0.8.4`, …). Tags can be rewritten to point to malicious code — CVE-2025-30066 (reviewdog/action-setup) and the tj-actions/changed-files incident in 2025 are the canonical real-world examples. GitHub's hardening guide for Actions recommends pinning to full-length commit SHAs and keeping the tag as a trailing comment for human readability. Resolved each action's tag to its commit SHA via `gh api /repos/<repo>/git/refs/tags/<tag>` and verified the SHA is a commit (not an annotated-tag object) via `gh api /repos/<repo>/git/commits/<sha>`: - actions/checkout v6 -> de0fac2e4500dabe0009e67214ff5f5447ce83dd - bullfrogsec/bullfrog v0.8.4 -> 1831f79cce8ad602eef14d2163873f27081ebfb3 - trilom/file-changes-action v1.2.4 -> a6ca26c14274c33b15e6499323aac178af06ad4b - actions/setup-python v6 -> a309ff8b426b58ec0e2a45f0f869d46889d02405 This change covers `lint-doc.yml` only. A fleet-wide sweep across every workflow in `.github/workflows/` is a separate effort — worth doing because the drift / supply-chain risk is the same in every one. Tracked as a follow-up to this PR's review. Tracked as item 11 of the rolling-side cleanup backlog from PR #2014 / #2019 / #2020 reviews. 🤖 Generated by [robots](https://vyos.io)
-rw-r--r--.github/workflows/lint-doc.yml8
1 files changed, 4 insertions, 4 deletions
diff --git a/.github/workflows/lint-doc.yml b/.github/workflows/lint-doc.yml
index eb7386d0..0bd7a197 100644
--- a/.github/workflows/lint-doc.yml
+++ b/.github/workflows/lint-doc.yml
@@ -11,20 +11,20 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
- uses: actions/checkout@v6
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Bullfrog Secure Runner
continue-on-error: true
- uses: bullfrogsec/bullfrog@v0.8.4
+ uses: bullfrogsec/bullfrog@1831f79cce8ad602eef14d2163873f27081ebfb3 # v0.8.4
with:
egress-policy: audit
- name: Get File Changes
id: file_changes
- uses: trilom/file-changes-action@v1.2.4
+ uses: trilom/file-changes-action@a6ca26c14274c33b15e6499323aac178af06ad4b # v1.2.4
- name: Set up Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: '3.x'