summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
authorYuriy Andamasov <yuriy@vyos.io>2026-05-14 00:50:16 +0300
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2026-05-14 05:08:38 +0000
commit1c7ce94eae1914b32f5dc8f9cdcd2ad203c2fdf7 (patch)
treec3c38a3eab8462a9cf36d861630ad2d4d8b60593 /scripts
parent628eb360bd84f45cdf4247cd3d1e102fe30bfc45 (diff)
downloadvyos-documentation-1c7ce94eae1914b32f5dc8f9cdcd2ad203c2fdf7.tar.gz
vyos-documentation-1c7ce94eae1914b32f5dc8f9cdcd2ad203c2fdf7.zip
ci(lint-doc): pin all GitHub Actions to commit SHAs
Each `uses:` line was pinned to a mutable version tag (`@v6`, `@v0.8.4`, …). Tags can be rewritten to point to malicious code — CVE-2025-30066 (reviewdog/action-setup) and the tj-actions/changed-files incident in 2025 are the canonical real-world examples. GitHub's hardening guide for Actions recommends pinning to full-length commit SHAs and keeping the tag as a trailing comment for human readability. Resolved each action's tag to its commit SHA via `gh api /repos/<repo>/git/refs/tags/<tag>` and verified the SHA is a commit (not an annotated-tag object) via `gh api /repos/<repo>/git/commits/<sha>`: - actions/checkout v6 -> de0fac2e4500dabe0009e67214ff5f5447ce83dd - bullfrogsec/bullfrog v0.8.4 -> 1831f79cce8ad602eef14d2163873f27081ebfb3 - trilom/file-changes-action v1.2.4 -> a6ca26c14274c33b15e6499323aac178af06ad4b - actions/setup-python v6 -> a309ff8b426b58ec0e2a45f0f869d46889d02405 This change covers `lint-doc.yml` only. A fleet-wide sweep across every workflow in `.github/workflows/` is a separate effort — worth doing because the drift / supply-chain risk is the same in every one. Tracked as a follow-up to this PR's review. Tracked as item 11 of the rolling-side cleanup backlog from PR #2014 / #2019 / #2020 reviews. 🤖 Generated by [robots](https://vyos.io) (cherry picked from commit e99182b911dbe9d3a3f02e000426f7075cadc608)
Diffstat (limited to 'scripts')
0 files changed, 0 insertions, 0 deletions