Pin Forgejo Actions by commit SHA #45
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#45
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Git tags on third-party actions are mutable refs — a compromised maintainer can re-point a tag at a malicious commit and every workflow that uses
@v6.0.3silently picks it up on the next run. Pinning by commit SHA freezes the action at the snapshot we reviewed.Scope
uses: owner/name@vX.Y.Zline in.forgejo/workflows/*.ymltouses: owner/name@<full-40-char-sha> # vX.Y.Z. The tag stays in a trailing comment for human readability.actions/checkout,actions/setup-node) and any third-party actions we adopt later.CLAUDE.mdor a newdocs/ci.md.Acceptance criteria
uses:line in.forgejo/workflows/references a mutable tag without a SHA pin.Part of epic #2.
npm ci --ignore-scriptsin CI with an explicit allowlist #46