veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

ci(bluebuild): pin blue-build/github-action to commit SHA
Some checks failed
Build veilor-os OCI (BlueBuild) / Build + sign + push OCI (pull_request) Failing after 12s
Details
Lint / Kickstart syntax (pull_request) Failing after 2s
Details
Lint / Shell scripts (pull_request) Failing after 38s
Details
Lint / No personal/onyx leaks (pull_request) Failing after 35s
Details

Browse source 
Replace @v1 with @24d146df25adc2cf579e918efe2d9bff6adea408 (the commit
v1 currently resolves to). Tag pins on third-party actions are mutable
— a maintainer or attacker can re-point v1 at a malicious commit and
silently change what runs on every push.

Trailing comment '# v1' preserves human readability for future bumps.

Refs: 9-agent CI hardening wave (agent 8), 2026-05-05.
This commit is contained in:
s8n-ru 2026-05-06 10:32:13 +01:00
parent 45d9b2d020
commit 4b80d06fde
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
.github/workflows/build-bluebuild.yml vendored
View file

@ -57,12 +57,12 @@ jobs:
df -h
# BlueBuild action wraps: image build, cosign sign (keyless via
# Sigstore), GHCR push. To pin to a commit SHA in a follow-up
# once the workflow shape stabilises (CI hardening agent 8,
# 2026-05-05 wave).
# Sigstore), GHCR push. Pinned to a commit SHA per CI hardening
# agent 8 (2026-05-05 wave). The trailing comment records the
# tag the SHA resolved from, so future bumps stay legible.
- name: Build + push veilor-os OCI
id: bluebuild
uses: blue-build/github-action@v1
uses: blue-build/github-action@24d146df25adc2cf579e918efe2d9bff6adea408 # v1
with:
recipe: bluebuild/recipe.yml
registry_token: ${{ secrets.GITHUB_TOKEN }}