Skip to content

ci: pin GitHub Actions to full commit SHAs to prevent supply-chain attacks#4090

Open
XananasX7 wants to merge 1 commit into
huggingface:mainfrom
XananasX7:ci/pin-actions-to-full-commit-sha
Open

ci: pin GitHub Actions to full commit SHAs to prevent supply-chain attacks#4090
XananasX7 wants to merge 1 commit into
huggingface:mainfrom
XananasX7:ci/pin-actions-to-full-commit-sha

Conversation

@XananasX7

Copy link
Copy Markdown

Summary

Pins all GitHub Actions across 6 workflow files to full immutable commit SHAs (21 pins total).

Vulnerability

Using mutable version tags (@v4, @v6, @v7) means any action author (or attacker who compromises an action repo) can silently push malicious code that runs in CI. The Docker workflows are especially sensitive as they push images to registries.

Changes

Action Tag Pinned SHA
actions/checkout v6 df4cb1c
actions/setup-python v6 ece7cb0
docker/build-push-action v7 f9f3042
docker/login-action v4 650006c
docker/setup-buildx-action v4 d7f5e7f

All pins point to the exact same version — no behaviour change.

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant