Pinning Action Dependencies for Security and Reliability #167
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Tatsinnit
approved these changes
Feb 28, 2025
bosesuneha
approved these changes
Feb 28, 2025
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request updates several GitHub Action workflows to use specific commit SHAs instead of version tags. This ensures that the workflows use a fixed version of the actions, avoiding potential security issues with future updates.
Updates to GitHub Action workflows:
.github/workflows/defaultLabels.yml: Updatedactions/staleto use commit SHA5bef64f19d7facfb25b37b414482c7164d639639instead of versionv9. [1] [2].github/workflows/integration-tests.yml: Updatedactions/checkoutto use commit SHA11bd71901bbe5b1630ceea73d27597364c9af683instead of versionv4..github/workflows/prettify-code.yml: Updatedactions/checkoutto use commit SHA11bd71901bbe5b1630ceea73d27597364c9af683instead of versionv4, andactionsx/prettierto use commit SHA3d9f7c3fa44c9cb819e68292a328d7f4384be206instead of versionv3..github/workflows/release-pr.yml: UpdatedAzure/action-release-workflowsto use commit SHA6f9de5deea0d6655168c8dd26e8849698f9a3809instead of versionv1..github/workflows/tag-and-draft.yml: UpdatedOliverMKing/javascript-release-workflowto use commit SHAc753e1545b144562237cd1177a95bab21a785cffinstead of themainbranch..github/workflows/unit-tests.yml: Updatedactions/checkoutto use commit SHA11bd71901bbe5b1630ceea73d27597364c9af683instead of versionv4.Noticed that for the repo is using a third party action step for prettier: "actionx/prettier". Wanted to understand its usage vs the native prettier check.