Skip to content

Commit 364565b

Browse files
szokeasaurusrexszokeasaurusrex
committed
CI/CD rule updates
1 parent 873937a commit 364565b

File tree

1 file changed

+18
-0
lines changed

1 file changed

+18
-0
lines changed

.cursor/rules/cicd-patterns.mdc

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,24 @@ alwaysApply: false
66

77
# CI/CD Workflow Guidelines
88

9+
## Security: Pin Actions by Commit Hash
10+
11+
**ALWAYS pin GitHub Actions to specific commit SHAs** instead of version tags for enhanced security. This prevents supply chain attacks where tags could be moved to malicious commits.
12+
13+
Example:
14+
15+
```yaml
16+
# ✅ CORRECT - Pinned by hash with version comment
17+
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
18+
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # 4.6.2
19+
20+
# ❌ INCORRECT - Using version tag
21+
- uses: actions/checkout@v4
22+
- uses: actions/upload-artifact@v4.6.2
23+
```
24+
25+
The comment after the hash helps maintainability by showing which version is pinned.
26+
927
## Reusable Workflow Pattern
1028

1129
- Main `ci.yml` calls separate workflows (`lint.yml`, `test.yml`, etc.)

0 commit comments

Comments
 (0)