Skip to content

Commit

Permalink
Ref actions by commit SHA in ci.yml
Browse files Browse the repository at this point in the history
Referencing actions by commit SHA in GitHub workflows guarantees you are
using an immutable version. Actions referenced by tags and branches are
more vulnerable to attacks, such as the tag being moved to a malicious
commit or a malicious commit being pushed to the branch.

It's important to make sure the SHA's are from the original repositories
and not forks. For reference:

https://github.com/actions/checkout/releases/tag/v4.1.1
SHA: b4ffde65f46336ab88eb53be808477a3936bae11

https://github.com/actions/setup-java/releases/tag/v3.13.0
SHA: 0ab4596768b603586c0de567f2430c30f5b0d2b0
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
  • Loading branch information
gabibguti authored and henri-tremblay committed Oct 19, 2023
1 parent 8c47acf commit 664e361
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,9 @@ jobs:
matrix:
java: [ '8', '11', '17', '21' ]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
- name: Set up JDK
uses: actions/setup-java@v3
uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 #v3.13.0
with:
java-version: ${{ matrix.java }}
distribution: 'zulu'
Expand Down

0 comments on commit 664e361

Please sign in to comment.