From 0a73a0afa68d9091e432d18a80366f95f3f03fcc Mon Sep 17 00:00:00 2001 From: Christopher Horrell Date: Thu, 21 May 2026 10:23:31 -0400 Subject: [PATCH] security: pin GitHub Actions to commit hashes Remediate zizmor security findings by pinning all GitHub Actions to their full commit SHA-256 hashes instead of version tags. This prevents supply chain attacks through action modifications. Fixes: - actions/checkout: pinned to v6.0.2 (de0fac2e4500dabe0009e67214ff5f5447ce83dd) - hendrikmuhs/ccache-action: pinned to v1.2.23 (d62db5f07c26379fc4b4e0916f098a92573c3b03) - docker/setup-qemu-action: pinned to v4.0.0 (ce360397dd3f832beb865e1373c09c0e9f86d70a) - docker/setup-buildx-action: pinned to v4.0.0 (4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd) - docker/build-push-action: pinned to v7.1.0 (bcafcacb16a39f128d818304e6c9c0c18556b85f) - docker/login-action: pinned to v4.1.0 (4907a6ddec9925e35a0a9e82d7399ccc52663121) - docker/metadata-action: pinned to v6.0.0 (030e881283bb7a6894de51c315a6bfe6a94e05cf) - DavidAnson/markdownlint-cli2-action: pinned to v23.2.0 (ded1f9488f68a970bc66ea5619e13e9b52e601cd) --- .github/workflows/dockerimage.yml | 10 +++++----- .github/workflows/linting.yml | 8 ++++---- .github/workflows/update-current-image.yml | 20 ++++++++++---------- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml index 09c69f4..0e76190 100644 --- a/.github/workflows/dockerimage.yml +++ b/.github/workflows/dockerimage.yml @@ -30,10 +30,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: ccache - uses: hendrikmuhs/ccache-action@v1.2.23 + uses: hendrikmuhs/ccache-action@d62db5f07c26379fc4b4e0916f098a92573c3b03 # v1.2.23 with: key: ${{ matrix.os }}-${{ matrix.platform }} max-size: 10G @@ -60,13 +60,13 @@ jobs: cp node-v$LATEST_VERSION/out/Release/node node - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Build Image - uses: docker/build-push-action@v7 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: . platforms: linux/${{ matrix.platform }} diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 506509a..b5efa28 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -8,7 +8,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: shfmt run: | @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Shellcheck run: | @@ -30,9 +30,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Markdownlint - uses: DavidAnson/markdownlint-cli2-action@v23.2.0 + uses: DavidAnson/markdownlint-cli2-action@ded1f9488f68a970bc66ea5619e13e9b52e601cd # v23.2.0 with: globs: '*.md' diff --git a/.github/workflows/update-current-image.yml b/.github/workflows/update-current-image.yml index 7e41fff..0019790 100644 --- a/.github/workflows/update-current-image.yml +++ b/.github/workflows/update-current-image.yml @@ -20,7 +20,7 @@ jobs: NODE_VERSION: ${{ steps.get_version.outputs.NODE_VERSION }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Validate and Get NODE_VERSION id: get_version @@ -66,10 +66,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: ccache - uses: hendrikmuhs/ccache-action@v1.2.23 + uses: hendrikmuhs/ccache-action@d62db5f07c26379fc4b4e0916f098a92573c3b03 # v1.2.23 with: key: ${{ matrix.os }}-${{ matrix.platform }} max-size: 10G @@ -95,26 +95,26 @@ jobs: cp node-v$NODE_VERSION/out/Release/node node - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Login to DockerHub - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.CR_PAT }} - name: Build - uses: docker/build-push-action@v7 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 env: DOCKER_BUILD_SUMMARY: false with: @@ -128,7 +128,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v6 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: flavor: latest=true images: ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }}, ghcr.io/chorrell/${{ env.IMAGE_NAME }} @@ -138,7 +138,7 @@ jobs: current - name: Build and push Image - uses: docker/build-push-action@v7 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: . platforms: linux/${{ matrix.platform }}