Skip to content

CI: Pin Github Actions to a particular SHA #1600

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
triceo opened this issue May 20, 2025 · 0 comments · Fixed by #1614
Closed

CI: Pin Github Actions to a particular SHA #1600

triceo opened this issue May 20, 2025 · 0 comments · Fixed by #1614
Assignees
@triceo
Milestone
v1.23.0

Comments

@triceo
Copy link
Contributor

triceo commented May 20, 2025

It is a potential security problem to depend on Github Actions by tag, such as @v4. The repository can be hijacked, and the tag can be overwritten by some malicious version.

We need to review all of our GHA workflows and convert them to use SHAs.
At the same time, let's also try to reduce the number of 3rd-party GHAs from sources other than Github, further reducing our exposure.
@triceo triceo linked a pull request May 26, 2025 that will close this issue
[Aikido] AI Fix for 3rd party Github Actions should be pinned #1614
Merged
@triceo triceo self-assigned this May 26, 2025
@triceo triceo added this to the v1.23.0 milestone May 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@triceo triceo

Labels
None yet
Projects
None yet
Milestone
v1.23.0
Development

Successfully merging a pull request may close this issue.

[Aikido] AI Fix for 3rd party Github Actions should be pinned TimefoldAI/timefold-solver
1 participant
@triceo