Skip to content

pin github actions by hash #2765

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

pin github actions by hash #2765

wants to merge 1 commit into from

Conversation

datosh
Copy link

@datosh datosh commented Aug 5, 2025

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the library.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

Description

I've noticed that this project is pinning most of its GitHub Action dependencies by referencing a commit hash. This is great, as it ensures that the workflows are both stable and secure. It is a security best practice, endorsed by GitHub, and prevents security incidents such as CVE-2025-30066, aka the "tj-actions/changed-files supply chain attack".

However the following actions were not pinned:

  • hashicorp/actions-generate-metadata
  • hashicorp/actions-go-build
  • hashicorp/actions-set-product-version

I was not able to find any legitimate reason in the git history or issues, so I assume these were just overlooked.

This PR pins the actions to match the best practice followed by the other workflows in this repository.

Acceptance tests

  • Have you added an acceptance test for the functionality being added?
  • Have you run the acceptance tests on this branch?

Output from acceptance testing:

N/A no changes to code tested by this

Release Note

Release note for CHANGELOG:

NONE

References

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

@datosh
pin github actions by hash
f77f597 
Signed-off-by: Fabian Kammel <fabian@kammel.dev>
@datosh datosh requested a review from a team as a code owner August 5, 2025 19:24
@hashicorp-cla-app HashiCorp CLA App
Copy link

hashicorp-cla-app bot commented Aug 5, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@datosh