diff options
| author | naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> | 2022-03-18 20:47:20 +0000 |
|---|---|---|
| committer | naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> | 2022-03-18 20:47:20 +0000 |
| commit | dd737bd7554846ad85ed98003c516da35ef34caa (patch) | |
| tree | d28da25da1cbb999a6c66de3ab99a8090e3c679d /.github/workflows/container_release2.yml | |
| parent | 2824940ecf62073e00a4d7e2a069b693082b31cf (diff) | |
| download | seaweedfs-dd737bd7554846ad85ed98003c516da35ef34caa.tar.xz seaweedfs-dd737bd7554846ad85ed98003c516da35ef34caa.zip | |
Pin actions to a full length commit SHA
- Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies
- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
>Pin actions to a full length commit SHA
>Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
Diffstat (limited to '.github/workflows/container_release2.yml')
| -rw-r--r-- | .github/workflows/container_release2.yml | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/.github/workflows/container_release2.yml b/.github/workflows/container_release2.yml index e62401e7f..5a20fbd51 100644 --- a/.github/workflows/container_release2.yml +++ b/.github/workflows/container_release2.yml @@ -6,6 +6,9 @@ on: - '*' workflow_dispatch: [] +permissions: + contents: read + jobs: build-large-release-container: @@ -14,11 +17,11 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2 - name: Docker meta id: docker_meta - uses: docker/metadata-action@v3 + uses: docker/metadata-action@e5622373a38e60fb6d795a4421e56882f2d7a681 # v3 with: images: | chrislusf/seaweedfs @@ -32,20 +35,20 @@ jobs: org.opencontainers.image.vendor=Chris Lu - name: Set up QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # v1 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1 - name: Login to Docker Hub if: github.event_name != 'pull_request' - uses: docker/login-action@v1 + uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 # v1 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Build - uses: docker/build-push-action@v2 + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # v2 with: context: ./docker push: ${{ github.event_name != 'pull_request' }} |