Skip to content

Commit e88e304

Browse files
Pin GitHub Actions to commit hashes for security (#537)
Pin github actions to specific commit SHAs to prevent supply chain attacks and ensure reproducible builds. Assisted-By: Claude Sonnet 4.5
2 parents a86081b + 918ef04 commit e88e304

4 files changed

Lines changed: 10 additions & 10 deletions

File tree

.github/workflows/check-release-notes.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,6 @@ on:
1010
jobs:
1111
check_release_notes:
1212
name: Notes are either written, or there are none
13-
uses: packit/.github/.github/workflows/check-release-notes.yml@main
13+
uses: packit/.github/.github/workflows/check-release-notes.yml@2837c96caf71966609451ad0323552ef4be11a23 # main
1414
with:
1515
description: ${{ github.event.pull_request.body }}

.github/workflows/do-release.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ jobs:
1111
if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'release') && github.repository_owner == 'packit'
1212
runs-on: ubuntu-latest
1313
steps:
14-
- uses: actions/checkout@v3
14+
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
1515
- name: Create GitHub release
1616
run: |
1717
VERSION=$(grep -oP '^# \K[0-9.]+([.\-_]?[a-zA-Z0-9.\-_]+)?' CHANGELOG.md | head -n 1)

.github/workflows/prepare-release.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -16,18 +16,18 @@ jobs:
1616
contents: write
1717

1818
steps:
19-
- uses: actions/checkout@v3
19+
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
2020
with:
2121
fetch-depth: 0
2222
- name: Prepare release content
23-
uses: packit/prepare-release@v3
23+
uses: packit/prepare-release@8e32a3a2fc5b1c33b5dca1620c073d5a7dffd5a5 # v3
2424
with:
2525
version: ${{ inputs.version }}
2626
specfiles: fedora/python-specfile.spec,epel8/python-specfile.spec,centos-integration-sig/python-specfile.spec
2727
prerelease_suffix_pattern: "([.\\-_]?)(a(lpha)?|b(eta)?|r?c|pre(view)?)([.\\-_]?\\d+)?"
2828
prerelease_suffix_macro: prerelease
2929
- name: Create Pull Request
30-
uses: peter-evans/create-pull-request@v7
30+
uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
3131
with:
3232
labels: release
3333
commit-message: Release ${{ inputs.version }}

.github/workflows/pypi-publish.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -16,11 +16,11 @@ jobs:
1616
runs-on: ubuntu-latest
1717

1818
steps:
19-
- uses: actions/checkout@v4
19+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
2020
with:
2121
persist-credentials: false
2222

23-
- uses: actions/setup-python@v5
23+
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
2424

2525
- name: Get history and tags for SCM versioning to work
2626
run: |
@@ -34,7 +34,7 @@ jobs:
3434
python -m build
3535
3636
- name: Store the distribution packages
37-
uses: actions/upload-artifact@v4
37+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
3838
with:
3939
name: python-package-distributions
4040
path: dist/
@@ -52,13 +52,13 @@ jobs:
5252

5353
steps:
5454
- name: Download all the dists
55-
uses: actions/download-artifact@v4
55+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
5656
with:
5757
name: python-package-distributions
5858
path: dist/
5959

6060
- name: Publish 📦 to PyPI
6161
# https://github.com/pypa/gh-action-pypi-publish
62-
uses: pypa/gh-action-pypi-publish@release/v1
62+
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
6363
with:
6464
verbose: true

0 commit comments

Comments
 (0)