CodeMirror 5 already hash-pins its GitHub Actions (done in #7065), which is great. However, hashes are hard to update manually, so we could use dependabot to do this work automatically.
We can set up dependabot to send a single monthly PR to update all the hashes. This will help keep your CI up-to-date. If you'd rather keep the Actions fixed at these trusted versions, that's understandable.
In any case, I'll also suggest enabling Dependabot security updates (if you haven't already – that information isn't visible from outside). These are PRs sent by Dependabot whenever a vulnerability is reported on a dependency. This will ensure that, should a vulnerability be discovered in the hash-pinned version of an Action, you will immediately receive a PR to migrate to a patched version. To enable security updates:
In the meantime, I'll send a PR adding dependabot so you can take a look.
Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation to improve the supply-chain security of projects critical to the open-source ecosystem.
CodeMirror 5 already hash-pins its GitHub Actions (done in #7065), which is great. However, hashes are hard to update manually, so we could use dependabot to do this work automatically.
We can set up dependabot to send a single monthly PR to update all the hashes. This will help keep your CI up-to-date. If you'd rather keep the Actions fixed at these trusted versions, that's understandable.
In any case, I'll also suggest enabling Dependabot security updates (if you haven't already – that information isn't visible from outside). These are PRs sent by Dependabot whenever a vulnerability is reported on a dependency. This will ensure that, should a vulnerability be discovered in the hash-pinned version of an Action, you will immediately receive a PR to migrate to a patched version. To enable security updates:
In the meantime, I'll send a PR adding dependabot so you can take a look.
Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation to improve the supply-chain security of projects critical to the open-source ecosystem.