Skip to content

Commit daad632

Browse files
Yang-33Yang-33
authored
Pin commit hash of github actions to avoid supply chain attacks (#405)
## Changes To avoid supply chain attacks, specify actions in GitHub Actions workflows using commit hashes instead of version numbers. Pinact-action will fail the CI job if this is not done. Renovate already supports updates in the commit hash state, so there is no issue. ## References - https://github.com/suzuki-shunsuke/pinact-action - does pinact-action verify the checksum of the version of aqua it is using? Yes!: - https://github.com/suzuki-shunsuke/pinact ## Other repositories - line/line-bot-sdk-python line/line-bot-sdk-python#772 - line/line-bot-sdk-php line/line-bot-sdk-php#680 - line/line-bot-sdk-nodejs line/line-bot-sdk-nodejs#1201 - line/line-bot-sdk-java line/line-bot-sdk-java#1576 - line/line-bot-sdk-go line/line-bot-sdk-go#555 - line/line-bot-sdk-ruby #405 - line/line-openapi line/line-openapi#90
1 parent 38d89d1 commit daad632

File tree

6 files changed

+26
-14
lines changed

6 files changed

+26
-14
lines changed

.github/workflows/check-eol-newrelease.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,10 +11,10 @@ jobs:
1111
runs-on: ubuntu-latest
1212
steps:
1313
- name: Check out code
14-
uses: actions/checkout@v4
14+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
1515

1616
- name: Run EoL & NewRelease check
17-
uses: actions/github-script@v7
17+
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
1818
with:
1919
script: |
2020
const checkEolAndNewReleases = require('.github/scripts/check-eol-newrelease.cjs');

.github/workflows/close-issue.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ jobs:
1212
issues: write
1313
pull-requests: write
1414
steps:
15-
- uses: actions/stale@v9
15+
- uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
1616
with:
1717
days-before-issue-stale: 14
1818
days-before-issue-close: 0

.github/workflows/create-draft-release.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -43,10 +43,10 @@ jobs:
4343
needs: validate-input
4444

4545
steps:
46-
- uses: actions/checkout@v4
46+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
4747
- name: Fetch Latest Release
4848
id: get-latest-release
49-
uses: actions/github-script@v7
49+
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
5050
with:
5151
script: |
5252
const latestRelease = await github.rest.repos.getLatestRelease({
@@ -62,7 +62,7 @@ jobs:
6262
6363
- name: Calculate New Version
6464
id: calculate-version
65-
uses: actions/github-script@v7
65+
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
6666
with:
6767
script: |
6868
const latestTag = '${{ steps.get-latest-release.outputs.latest_tag }}';
@@ -83,7 +83,7 @@ jobs:
8383
8484
- name: Generate Release Notes
8585
id: generate-release-notes
86-
uses: actions/github-script@v7
86+
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
8787
with:
8888
script: |
8989
const { data: releaseNotes } = await github.rest.repos.generateReleaseNotes({

.github/workflows/publish.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -18,8 +18,8 @@ jobs:
1818
contents: write # IMPORTANT: this permission is required for `rake release` to push the release tag
1919

2020
steps:
21-
- uses: actions/checkout@v4
22-
- uses: ruby/setup-ruby@v1
21+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
22+
- uses: ruby/setup-ruby@1a615958ad9d422dd932dc1d5823942ee002799f # v1.227.0
2323
with:
2424
bundler-cache: true
2525
ruby-version: 3.3
@@ -43,11 +43,11 @@ jobs:
4343
4444
git add lib/line/bot/api/version.rb
4545
git commit -m "Set version to $VERSION"
46-
- uses: rubygems/release-gem@v1
46+
- uses: rubygems/release-gem@a25424ba2ba8b387abc8ef40807c2c85b96cbe32 # v1.1.1
4747

4848
- name: Create GitHub Issue on Failure
4949
if: failure()
50-
uses: actions/github-script@v7
50+
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
5151
with:
5252
script: |
5353
const { owner, repo } = context.repo;

.github/workflows/pull_request.yml

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,11 +14,22 @@ jobs:
1414
ruby: [ '3.1', '3.2', '3.3' ]
1515
name: Ruby v${{ matrix.ruby }}
1616
steps:
17-
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
18-
- uses: ruby/setup-ruby@v1
17+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
18+
- uses: ruby/setup-ruby@1a615958ad9d422dd932dc1d5823942ee002799f # v1.227.0
1919
with:
2020
ruby-version: ${{ matrix.ruby }}
2121
- run: gem install bundler
2222
- run: bundle install
2323
- run: bundle exec rubocop
2424
- run: bundle exec rspec
25+
26+
pinact:
27+
runs-on: ubuntu-latest
28+
permissions:
29+
contents: read
30+
steps:
31+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
32+
- name: Run pinact
33+
uses: suzuki-shunsuke/pinact-action@a6896d13d22e2bf108a78b0c52d3f867c1f41b34 # v0.2.1
34+
with:
35+
skip_push: "true"

renovate.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,8 @@
11
{
22
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
33
"extends": [
4-
"config:base"
4+
"config:base",
5+
"helpers:pinGitHubActionDigestsToSemver"
56
],
67
"automerge": true,
78
"platformAutomerge": true,

0 commit comments

Comments
 (0)