summaryrefslogtreecommitdiff
path: root/docs/_include/interface-address.txt
diff options
context:
space:
mode:
authorYuriy Andamasov <yuriy@vyos.io>2026-05-14 00:50:16 +0300
committerYuriy Andamasov <yuriy@vyos.io>2026-05-14 00:50:16 +0300
commite99182b911dbe9d3a3f02e000426f7075cadc608 (patch)
treeb552493e9e5d04268fb36253f1cbafa62b363f27 /docs/_include/interface-address.txt
parent1ef5684729646ca3a24aff83ab8edd0aa57914c7 (diff)
downloadvyos-documentation-e99182b911dbe9d3a3f02e000426f7075cadc608.tar.gz
vyos-documentation-e99182b911dbe9d3a3f02e000426f7075cadc608.zip
ci(lint-doc): pin all GitHub Actions to commit SHAs
Each `uses:` line was pinned to a mutable version tag (`@v6`, `@v0.8.4`, …). Tags can be rewritten to point to malicious code — CVE-2025-30066 (reviewdog/action-setup) and the tj-actions/changed-files incident in 2025 are the canonical real-world examples. GitHub's hardening guide for Actions recommends pinning to full-length commit SHAs and keeping the tag as a trailing comment for human readability. Resolved each action's tag to its commit SHA via `gh api /repos/<repo>/git/refs/tags/<tag>` and verified the SHA is a commit (not an annotated-tag object) via `gh api /repos/<repo>/git/commits/<sha>`: - actions/checkout v6 -> de0fac2e4500dabe0009e67214ff5f5447ce83dd - bullfrogsec/bullfrog v0.8.4 -> 1831f79cce8ad602eef14d2163873f27081ebfb3 - trilom/file-changes-action v1.2.4 -> a6ca26c14274c33b15e6499323aac178af06ad4b - actions/setup-python v6 -> a309ff8b426b58ec0e2a45f0f869d46889d02405 This change covers `lint-doc.yml` only. A fleet-wide sweep across every workflow in `.github/workflows/` is a separate effort — worth doing because the drift / supply-chain risk is the same in every one. Tracked as a follow-up to this PR's review. Tracked as item 11 of the rolling-side cleanup backlog from PR #2014 / #2019 / #2020 reviews. 🤖 Generated by [robots](https://vyos.io)
Diffstat (limited to 'docs/_include/interface-address.txt')
0 files changed, 0 insertions, 0 deletions