search

in-toto / witness

Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.
https://witness.dev
Apache License 2.0
416 stars 60 forks source link

Improve gha #318

Closed kairoaraujo closed 1 year ago

kairoaraujo commented 1 year ago

It's a good practice to pin the GitHub Actions with full-length commit sha as described in the "Security hardening for GitHub Actions". https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions

I noticed that dependabot also checks weekly with updates. It will maintain the updates using the hash.

kairoaraujo commented 1 year ago

Should we also make it pinned? https://github.com/in-toto/witness/blob/d8d416c28910fe6d305f746987e630726a4e3209/.github/workflows/verify-licence.yml#L16-L17

adityasaky commented 1 year ago

Should we also make it pinned?

I think dependabot may not handle that?

kairoaraujo commented 1 year ago

I think dependabot may not handle that?

No, it will not handle it.

ChaosInTheCRD commented 1 year ago

I think dependabot may not handle that?

No, it will not handle it.

Could we at least semver pin it? @v1.1.1 or something?

kairoaraujo commented 1 year ago

I see that my work here duplicates https://github.com/in-toto/witness/pull/316.