diff options
| author | Yuriy Andamasov <yuriy@vyos.io> | 2026-05-14 00:50:16 +0300 |
|---|---|---|
| committer | Mergify <37929162+mergify[bot]@users.noreply.github.com> | 2026-05-14 05:08:55 +0000 |
| commit | 92c4382a8dc5d688a9237cb1df1faba38ffc3020 (patch) | |
| tree | cb6ee75d960eec6e0c14ab73ca64637060b5cf80 /scripts | |
| parent | 2d600625c766416c9dfe79b3d595255c7a191cfe (diff) | |
| download | vyos-documentation-92c4382a8dc5d688a9237cb1df1faba38ffc3020.tar.gz vyos-documentation-92c4382a8dc5d688a9237cb1df1faba38ffc3020.zip | |
ci(lint-doc): pin all GitHub Actions to commit SHAs
Each `uses:` line was pinned to a mutable version tag (`@v6`,
`@v0.8.4`, …). Tags can be rewritten to point to malicious code —
CVE-2025-30066 (reviewdog/action-setup) and the tj-actions/changed-files
incident in 2025 are the canonical real-world examples. GitHub's
hardening guide for Actions recommends pinning to full-length commit
SHAs and keeping the tag as a trailing comment for human readability.
Resolved each action's tag to its commit SHA via `gh api
/repos/<repo>/git/refs/tags/<tag>` and verified the SHA is a commit
(not an annotated-tag object) via `gh api
/repos/<repo>/git/commits/<sha>`:
- actions/checkout v6 -> de0fac2e4500dabe0009e67214ff5f5447ce83dd
- bullfrogsec/bullfrog v0.8.4 -> 1831f79cce8ad602eef14d2163873f27081ebfb3
- trilom/file-changes-action v1.2.4 -> a6ca26c14274c33b15e6499323aac178af06ad4b
- actions/setup-python v6 -> a309ff8b426b58ec0e2a45f0f869d46889d02405
This change covers `lint-doc.yml` only. A fleet-wide sweep across
every workflow in `.github/workflows/` is a separate effort —
worth doing because the drift / supply-chain risk is the same in
every one. Tracked as a follow-up to this PR's review.
Tracked as item 11 of the rolling-side cleanup backlog from PR #2014
/ #2019 / #2020 reviews.
🤖 Generated by [robots](https://vyos.io)
(cherry picked from commit e99182b911dbe9d3a3f02e000426f7075cadc608)
Diffstat (limited to 'scripts')
0 files changed, 0 insertions, 0 deletions
