Conversation
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
|
Tags are mutable by default, though github lets individual repos decide that (which is not as helpful as it sounds), but pinning has its own issues. I think github still has a global git repo for all forks, so while only the maintainer can set a tag, anyone can have a sha hash on the maintainers repo. In that case, you make some bad code in a fork of a project, and then go to another project, like this one, and propose pinning shas and either pinning the wrong sha at the beginning or updating shas for minor versions at a later date. Not suggesting this is you, btw. But the maintainers of the project get lots of extra work for themselves if they go this route. The docs action is based on main! It changes a lot -- that is where i would do it. At least with tags, it is required to infiltrate the main repo. Not so with sha hashes. Last i remember. I'd be wary of this change. It make things way easier for the next person. |
3 participants
🔒 Pin GitHub Actions to commit SHAs
This PR pins all GitHub Actions to their exact commit SHA instead of mutable tags or branch names.
Why?
Pinning to a SHA prevents supply chain attacks where a tag (e.g.
v4) could be moved to point to malicious code.Changes
tests.ymlactions/checkoutv6v6.0.2de0fac2e4500…tests.ymlpnpm/action-setupv4v4b906affcce14…tests.ymlactions/setup-nodev6v653b83947a5a9…documentation.ymlhuggingface/doc-builder/.github/workflows/build_main_documentation.ymlmainmain90b4ee2c10b8…pr-documentation.ymlhuggingface/doc-builder/.github/workflows/build_pr_documentation.ymlmainmain90b4ee2c10b8…upload-pr-documentation.ymlhuggingface/doc-builder/.github/workflows/upload_pr_documentation.ymlmainmain90b4ee2c10b8…publish.ymlactions/checkoutv6v6.0.2de0fac2e4500…publish.ymlpnpm/action-setupv4v4b906affcce14…publish.ymlactions/setup-nodev6v653b83947a5a9…Closes huggingface/tracking-issues#283