Pin astral-sh/ruff-action to a specific commit#3265
Pin astral-sh/ruff-action to a specific commit#3265svartkanin merged 1 commit intoarchlinux:masterfrom
Conversation
correctmost
force-pushed
the
cm/pin-ruff-action
branch
from
512e354 to
fcd4b24
Compare
|
Interesting, so this means that we need to keep track of releases and manually update the hash moving forward. So if there was vulnerabilities discovered in previous versions we need to be aware of that and potentially update the hash. |
|
It seems like Renovate can handle the bumping of actions with specific commit hashes: https://docs.renovatebot.com/presets-helpers/#helperspingithubactiondigests I will look into adding ruff-action to |
|
So would the updates be pushed for every new tag release hash? |
The GitHub docs recommend pinning third-party actions to specific commits for security hardening purposes.
correctmost
force-pushed
the
cm/pin-ruff-action
branch
from
fcd4b24 to
c54c099
Compare
Yep. With my latest commit, Renovate bot should now submit PRs for actions releases using a hash instead of a tag (because tags are mutable). This change will affect all actions, including ones from GitHub. If things get too noisy, we can add some additional config to schedule the updates less frequently. |
|
Okay lets try it out |
2 participants
PR Description:
The GitHub docs recommend pinning third-party actions to specific commits for security hardening purposes:
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
A recent security issue: