Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[core] Pin GitHub Action to digests #34855

Merged
merged 1 commit into from
Oct 29, 2022
Merged

[core] Pin GitHub Action to digests #34855

merged 1 commit into from
Oct 29, 2022

Conversation

oliviertassinari
Copy link
Member

@oliviertassinari oliviertassinari commented Oct 22, 2022
edited
Loading

The idea is to follow https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

You can help mitigate this risk by following these good practices: Pin actions to a full length commit SHA

It uses: https://docs.renovatebot.com/modules/manager/github-actions/. If it works well, we need to apply it to all the other repositories.

@oliviertassinari oliviertassinari added the core Infrastructure work going on behind the scenes label Oct 22, 2022
@oliviertassinari oliviertassinari requested a review from a team October 22, 2022 17:26
@oliviertassinari oliviertassinari added the security Pull requests that address a security vulnerability label Oct 22, 2022
@mui-bot
Copy link

mui-bot commented Oct 22, 2022
edited
Loading

Messages
📖 Netlify deploy preview: https://deploy-preview-34855--material-ui.netlify.app/

No bundle size changes

Generated by 🚫 dangerJS against deb5ddc

@michaldudak
Copy link
Member

Does it work with GitHub Actions? The docs for pinDigests mention Docker images only.
The doc you linked offers an alternative config setting:

{
  "extends": ["helpers:pinGitHubActionDigests"]
}

@oliviertassinari oliviertassinari mentioned this pull request Oct 26, 2022
Merged
@oliviertassinari
Copy link
Member Author

oliviertassinari commented Oct 26, 2022
edited
Loading

Does it work with GitHub Actions? The docs for pinDigests mention Docker images only.

@michaldudak The support for GitHub Actions was added in renovatebot/renovate#10835.

The doc you linked offers an alternative config setting:

These two are equivalent. I went with the lower level primitives.

@oliviertassinari oliviertassinari merged commit 5df95f1 into mui:master Oct 29, 2022
@oliviertassinari oliviertassinari deleted the pin-version-github-actions branch October 29, 2022 14:32
@oliviertassinari
Copy link
Member Author

oliviertassinari commented Oct 29, 2022
edited
Loading

renovatebot/renovate#18578 got merged, so we are likely good. We will see how this goes in the next Renovate PR update cycle.

Edit: it does work, proof: #34929.

This was referenced Oct 30, 2022
Merged
Merged
Merged
daniel-rabe pushed a commit to daniel-rabe/material-ui that referenced this pull request Nov 29, 2022
@oliviertassinari
[core] Pin GitHub Action to digests (mui#34855)
40e6eda
feliperli pushed a commit to jesrodri/material-ui that referenced this pull request Dec 6, 2022
@oliviertassinari
[core] Pin GitHub Action to digests (mui#34855)
adab226
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Janpot Janpot Janpot approved these changes

@michaldudak michaldudak michaldudak approved these changes

Assignees
No one assigned
Labels
core Infrastructure work going on behind the scenes security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@oliviertassinari @mui-bot @michaldudak @Janpot