Skip to content

Use commit hashes for GitHub Action versions#388

Merged
denyeart merged 1 commit intohyperledger:mainfrom
bestbeforetoday:action-hashes
Jul 22, 2025
Merged

Use commit hashes for GitHub Action versions#388
denyeart merged 1 commit intohyperledger:mainfrom
bestbeforetoday:action-hashes

Conversation

@bestbeforetoday
Copy link
Member

Closes #387

Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
@sonarqubecloud
Copy link

@bestbeforetoday bestbeforetoday marked this pull request as ready for review July 21, 2025 21:35
@bestbeforetoday bestbeforetoday requested a review from a team as a code owner July 21, 2025 21:35
@denyeart
Copy link
Contributor

I had been holding out on using commit hashes for github actions as I didn't know if the benefits warranted the additional maintenance, at least for github provided actions where the risk is low. For third party actions I agree there is more risk and therefore more reason to do so.

We could also decide to do it for release actions but not other actions since the stakes are higher for release actions.

This is probably a decision that should span all repositories, so just wanted to pause a moment and collect thoughts before merging.

@bestbeforetoday
Copy link
Member Author

My intention was to also enable dependabot for the GitHub Actions ecosystem, which means that dependabot deals with keeping the hashes up-to-date with the latest release and it is no effort (other than merging dependabot PRs) for maintainers. I am already doing this successfully for the fabric-gateway repository.

@denyeart
Copy link
Contributor

Ok sounds good.

@denyeart denyeart merged commit c56793c into hyperledger:main Jul 22, 2025
10 checks passed
@bestbeforetoday bestbeforetoday deleted the action-hashes branch July 22, 2025 12:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Reference action versions by hash in GitHub Actions workflows

2 participants