Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 82b0b153ab
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
This change is presented as a SHA pinning hardening update, but it also upgrades actions/checkout from v4 to v6.0.2 in the build workflow that runs on self-hosted aws-general-8-plus runners; that introduces a runtime compatibility change unrelated to pinning and can cause CI failures on runners that are still provisioned for the v4 line. To avoid breaking builds during a security-only update, pin to a v4 commit (or perform the major-version runner upgrade in a separate, explicit change).
Useful? React with 👍 / 👎.
1 participant
🔒 Pin GitHub Actions to commit SHAs
This PR pins all GitHub Actions to their exact commit SHA instead of mutable tags or branch names.
Why?
Pinning to a SHA prevents supply chain attacks where a tag (e.g.
v4) could be moved to point to malicious code.Changes
build-image.ymlactions/checkoutv4v6.0.2de0fac2e4500…build-image.ymldocker/metadata-actionv5v5c299e40c6544…build-image.ymldocker/setup-qemu-actionv3v3c7c53464625b…build-image.ymldocker/setup-buildx-actionv3v38d2750c68a42…build-image.ymldocker/login-actionv3v3c94ce9fb4685…build-image.ymlrlespinasse/github-slug-actionv4.5.0v4.5.0797d68864753…build-image.ymldocker/build-push-actionv5v5ca052bb54ab0…build-image.ymlactions/checkoutv4v6.0.2de0fac2e4500…build-image.ymldocker/metadata-actionv5v5c299e40c6544…build-image.ymldocker/setup-qemu-actionv3v3c7c53464625b…build-image.ymldocker/setup-buildx-actionv3v38d2750c68a42…build-image.ymldocker/login-actionv3v3c94ce9fb4685…build-image.ymlrlespinasse/github-slug-actionv4.5.0v4.5.0797d68864753…build-image.ymldocker/build-push-actionv5v5ca052bb54ab0…slugify.yamlactions/setup-gov5v540f1582b2485…deploy-prod.ymlactions/checkoutv4v6.0.2de0fac2e4500…deploy-prod.ymldocker/login-actionv3v3c94ce9fb4685…deploy-prod.ymldocker/metadata-actionv5v5c299e40c6544…deploy-prod.ymldocker/setup-buildx-actionv3v38d2750c68a42…deploy-prod.ymlrlespinasse/github-slug-actionv4.5.0v4.5.0797d68864753…deploy-prod.ymldocker/build-push-actionv5v5ca052bb54ab0…deploy-prod.ymlrlespinasse/github-slug-actionv4.5.0v4.5.0797d68864753…deploy-prod.ymlaurelien-baudet/workflow-dispatchv2v293e95b157d79…build-docs.ymlhuggingface/doc-builder/.github/workflows/build_main_documentation.ymlmainmain90b4ee2c10b8…build-pr-docs.ymlhuggingface/doc-builder/.github/workflows/build_pr_documentation.ymlmainmain90b4ee2c10b8…upload-pr-documentation.ymlhuggingface/doc-builder/.github/workflows/upload_pr_documentation.ymlmainmain90b4ee2c10b8…trufflehog.ymlactions/checkoutv4v6.0.2de0fac2e4500…trufflehog.ymltrufflesecurity/trufflehogmainmain6bd2d14f7a4b…Closes huggingface/tracking-issues#79