From d10a7642f8d99244fc9c5fd44e3c41109703727d Mon Sep 17 00:00:00 2001 From: William So Date: Fri, 3 Apr 2026 14:36:57 +0800 Subject: [PATCH 1/2] ci: pin GitHub Actions to commit SHAs --- .github/workflows/check.yml | 16 ++++++++-------- .github/workflows/docker.yml | 10 +++++----- .github/workflows/release.yml | 14 +++++++------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index f01f698..af2b747 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -30,11 +30,11 @@ jobs: timeout-minutes: 5 continue-on-error: true steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f with: node-version: 24 @@ -42,7 +42,7 @@ jobs: corepack enable corepack install - - uses: actions/setup-node@v6 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f with: cache: yarn @@ -59,18 +59,18 @@ jobs: timeout-minutes: 2 continue-on-error: true steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - uses: wagoid/commitlint-github-action@v6 + - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed tests: runs-on: ${{ vars.ACTIONS_RUNNER_TYPE || 'ubuntu-latest' }} timeout-minutes: 5 continue-on-error: true steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - uses: actions/setup-node@v6 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f with: node-version: 24 @@ -78,7 +78,7 @@ jobs: corepack enable corepack install - - uses: actions/setup-node@v6 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f with: cache: yarn diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 997e364..3065d5a 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -36,13 +36,13 @@ jobs: continue-on-error: true steps: - name: Setup QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a - name: Setup Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd - name: Login to Docker Hub - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -50,7 +50,7 @@ jobs: - name: Docker Metadata id: meta - uses: docker/metadata-action@v6 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf with: images: | ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} @@ -61,7 +61,7 @@ jobs: test - name: Build and Push - uses: docker/build-push-action@v7 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 with: push: true tags: ${{ steps.meta.outputs.tags }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1ed0bae..156811f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -28,7 +28,7 @@ jobs: steps: - name: Release Please - uses: googleapis/release-please-action@v4 + uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 id: release with: release-type: node @@ -36,7 +36,7 @@ jobs: # From: # https://github.com/googleapis/release-please-action?tab=readme-ov-file#creating-majorminor-tags - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd if: ${{ steps.release.outputs.release_created }} - name: Tag Major and Minor Versions @@ -56,15 +56,15 @@ jobs: - name: Setup QEMU if: ${{ steps.release.outputs.release_created }} - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a - name: Setup Docker Buildx if: ${{ steps.release.outputs.release_created }} - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd - name: Login to Docker Hub if: ${{ steps.release.outputs.release_created }} - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -73,7 +73,7 @@ jobs: - name: Docker Metadata if: ${{ steps.release.outputs.release_created }} id: meta - uses: docker/metadata-action@v6 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf with: images: | ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} @@ -91,7 +91,7 @@ jobs: - name: Build and Push if: ${{ steps.release.outputs.release_created }} - uses: docker/build-push-action@v7 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 with: push: true tags: ${{ steps.meta.outputs.tags }} From 58df43d4883fe0e248c0620e0a30ea34c5845396 Mon Sep 17 00:00:00 2001 From: William So Date: Fri, 3 Apr 2026 14:41:10 +0800 Subject: [PATCH 2/2] docs: note SHA pinning for GitHub Actions in CI/CD section --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 38d7155..4cd786c 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,9 @@ For the application-level environment variables, please refer to the ## CI / CD -This template supports GitHub Actions for CI / CD. The available workflows are: +This template supports GitHub Actions for CI / CD. All GitHub Actions are pinned to specific commit SHAs to mitigate supply chain attacks. + +The available workflows are: - Checks / eslint: Run ES Lint to check problems and the format of the code. - Checks / commitlint: Run Commitlint to check the format of the commit messages.