Pin Forgejo Actions by commit SHA #45

Closed
opened 2026-06-14 19:24:40 +00:00 by james · 0 comments
Owner

Git tags on third-party actions are mutable refs — a compromised maintainer can re-point a tag at a malicious commit and every workflow that uses @v6.0.3 silently picks it up on the next run. Pinning by commit SHA freezes the action at the snapshot we reviewed.

Scope

  • Rewrite every uses: owner/name@vX.Y.Z line in .forgejo/workflows/*.yml to uses: owner/name@<full-40-char-sha> # vX.Y.Z. The tag stays in a trailing comment for human readability.
  • Cover both first-party (actions/checkout, actions/setup-node) and any third-party actions we adopt later.
  • Document the convention so future workflow edits stay SHA-pinned. The natural home is a CI section in CLAUDE.md or a new docs/ci.md.
  • Renovate (#44) keeps the SHAs fresh once it lands; this ticket is the one-time backfill.

Acceptance criteria

  • No uses: line in .forgejo/workflows/ references a mutable tag without a SHA pin.
  • PR pipeline still passes against the SHA-pinned actions.
  • The convention is documented and the docs link to the rationale (mutable-tag risk).

Part of epic #2.

Git tags on third-party actions are mutable refs — a compromised maintainer can re-point a tag at a malicious commit and every workflow that uses `@v6.0.3` silently picks it up on the next run. Pinning by commit SHA freezes the action at the snapshot we reviewed. ## Scope - Rewrite every `uses: owner/name@vX.Y.Z` line in `.forgejo/workflows/*.yml` to `uses: owner/name@<full-40-char-sha> # vX.Y.Z`. The tag stays in a trailing comment for human readability. - Cover both first-party (`actions/checkout`, `actions/setup-node`) and any third-party actions we adopt later. - Document the convention so future workflow edits stay SHA-pinned. The natural home is a CI section in `CLAUDE.md` or a new `docs/ci.md`. - Renovate (#44) keeps the SHAs fresh once it lands; this ticket is the one-time backfill. ## Acceptance criteria - [ ] No `uses:` line in `.forgejo/workflows/` references a mutable tag without a SHA pin. - [ ] PR pipeline still passes against the SHA-pinned actions. - [ ] The convention is documented and the docs link to the rationale (mutable-tag risk). Part of epic #2.
james closed this issue 2026-06-15 12:06:56 +00:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
james/carol#45
No description provided.