[openstreetmap/openstreetmap-website] Lock GitHub Actions dependencies to SHAs for security and predictability (PR #6332)
Nicholas La Roux
notifications at github.com
Mon Aug 18 14:45:18 UTC 2025
### Description
Lock GitHub Actions dependencies to specific version SHAs for security and predictability. Doing so is a best practice as we then know exactly which version of a given dependency is being used. Without locking to SHAs, Actions will simply use whatever latest version is available for the given specified version, usually a major such as "v4", leading to "silent bumps" at the GitHub Action runtime level.
Locking to SHAs will also allow us to receive patch and minor level dependency upgrade PRs as opposed to, in most cases, just bumps for major versions.
### How has this been tested?
CI and Danger runs will prove if these changes are proper or not as they only affect GitHub Actions.
For reference here are the GitHub Actions dependencies releases so we can check the SHAs.
- https://github.com/actions/checkout/releases/tag/v5.0.0 (https://github.com/actions/checkout/commit/08c6903cd8c0fde910a37f88322edcfb5dd907a8)
- https://github.com/ruby/setup-ruby/releases/tag/v1.255.0 (https://github.com/ruby/setup-ruby/commit/829114fc20da43a41d27359103ec7a63020954d4)
- https://github.com/actions/setup-node/releases/tag/v4.4.0 (https://github.com/actions/setup-node/commit/49933ea5288caeca8642d1e84afbd3f7d6820020)
- https://github.com/actions/upload-artifact/releases/tag/v4.6.2 (https://github.com/actions/upload-artifact/commit/ea165f8d65b6e75b540449e92b4886f43607fa02)
- https://github.com/coverallsapp/github-action/releases/tag/v2.3.6 (https://github.com/coverallsapp/github-action/commit/648a8eb78e6d50909eff900e4ec85cab4524a45b)
You can view, comment on, or merge this pull request online at:
https://github.com/openstreetmap/openstreetmap-website/pull/6332
-- Commit Summary --
* Lock GitHub Actions dependencies to SHAs for security and predictability
-- File Changes --
M .github/workflows/danger.yml (4)
M .github/workflows/docker.yml (2)
M .github/workflows/lint.yml (24)
M .github/workflows/tests.yml (12)
-- Patch Links --
https://github.com/openstreetmap/openstreetmap-website/pull/6332.patch
https://github.com/openstreetmap/openstreetmap-website/pull/6332.diff
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/6332
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/pull/6332 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20250818/7ab8da71/attachment.htm>
More information about the rails-dev
mailing list