[openstreetmap/openstreetmap-website] Lock GitHub Actions dependencies to SHAs for security and predictability (PR #6332)

Nicholas La Roux notifications at github.com
Tue Aug 19 18:49:27 UTC 2025


larouxn left a comment (openstreetmap/openstreetmap-website#6332)

Like I said, it's highly unlikely anything actually malicious will occur since 1. all the actions in use are official ones and 2. the actions are only used for CI and PR utility. The inspiration behind this is that it's a best practice for security and predictability.

> how am I supposed to evaluate if that is a genuine version or a bugged/infected/malicious version?

When a Dependabot PR appears one can read the README and if desired can click in and see the diff between the previous tag/commit and new tag/commit. This change at least allows us a chance to actually see what's changing in the GitHub Actions dependencies we use. Without it the underlying dependencies are just changing (excluding major version bumps) whenever a new version is released without any review.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/6332#issuecomment-3201851458
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/pull/6332/c3201851458 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20250819/0ebd4582/attachment.htm>


More information about the rails-dev mailing list