Skip to content

Commit 6716387

Browse files
committed
docs: require tag annotation comment when pinning actions to commit SHA
1 parent fcd0a88 commit 6716387

1 file changed

Lines changed: 2 additions & 2 deletions

File tree

practices/actions-best-practices.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -87,14 +87,14 @@ To mitigate these risks, all actions must be pinned to specific commit SHAs, rev
8787
8888
### Pin All Actions to a Commit SHA
8989
90-
When including a GitHub Action within your workflow you should perform due diligence checks to ensure that the action achieves the aims you are intending it to, and that it does not do anything unintended, including reviewing the action code where appropriate. Every action reference must use a full-length commit SHA, including GitHub-authored actions, marketplace actions, and internally maintained actions. Do not use tags or branch references in committed workflow definitions because they can move without review or be modified if the upstream repository is compromised:
90+
When including a GitHub Action within your workflow you should perform due diligence checks to ensure that the action achieves the aims you are intending it to, and that it does not do anything unintended, including reviewing the action code where appropriate. Every action reference must use a full-length commit SHA, including GitHub-authored actions, marketplace actions, and internally maintained actions, and must include an inline comment identifying the corresponding tag or version. Do not use tags or branch references in committed workflow definitions because they can move without review or be modified if the upstream repository is compromised. The tag annotation comment is not optional — without it, a pinned SHA is opaque and cannot be reviewed or updated effectively:
9191
9292
```yaml
9393
# Not secure - can change unexpectedly
9494
- uses: actions/checkout@v4
9595
# Also not acceptable - tags can be moved
9696
- uses: actions/checkout@v4.1.7
97-
# Required - pin to the full commit SHA and optionally annotate the tag for readability
97+
# Required - pin to the full commit SHA and annotate the tag for readability
9898
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
9999
```
100100

0 commit comments

Comments
 (0)