Skip to content

Commit ca300de

Browse files
emptyhammondm-hulbert
authored andcommitted
ci: pin third-party actions to commit SHAs
Pin actions/checkout, actions/github-script, and fastruby/manage-heroku-review-app to commit SHAs with the tag preserved as a trailing comment, so an upstream tag move cannot silently change what runs in CI. Identified by a routine workflow security audit.
1 parent e7c193c commit ca300de

1 file changed

Lines changed: 3 additions & 3 deletions

File tree

.github/workflows/review-app.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -19,13 +19,13 @@ jobs:
1919
(github.event.action == 'closed' && contains(github.event.pull_request.labels.*.name, 'review-app'))
2020
steps:
2121
- name: Checkout code
22-
uses: actions/checkout@v4
22+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
2323
with:
2424
persist-credentials: false
2525

2626
- name: Check if user is an Ably organization member
2727
if: github.event.action == 'labeled' && github.event.label.name == 'review-app'
28-
uses: actions/github-script@v7
28+
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
2929
with:
3030
github-token: ${{ secrets.ABLY_ORG_TOKEN }}
3131
script: |
@@ -60,7 +60,7 @@ jobs:
6060
}
6161
6262
- name: Manage Heroku Review App
63-
uses: fastruby/manage-heroku-review-app@v1.3
63+
uses: fastruby/manage-heroku-review-app@9fa49f0320460f278c3687bc348dd0cbb18555dc # v1.3
6464
with:
6565
action: ${{ (github.event.action == 'labeled' && github.event.label.name == 'review-app' && 'create') || 'destroy' }}
6666
env:

0 commit comments

Comments
 (0)