ci(bluebuild): pin blue-build/github-action to commit SHA
Replace @v1 with @24d146df25adc2cf579e918efe2d9bff6adea408 (the commit v1 currently resolves to). Tag pins on third-party actions are mutable — a maintainer or attacker can re-point v1 at a malicious commit and silently change what runs on every push. Trailing comment '# v1' preserves human readability for future bumps. Refs: 9-agent CI hardening wave (agent 8), 2026-05-05.
This commit is contained in:
parent
3c247bc601
commit
f2e36bfead
1 changed files with 4 additions and 4 deletions
8
.github/workflows/build-bluebuild.yml
vendored
8
.github/workflows/build-bluebuild.yml
vendored
|
|
@ -57,12 +57,12 @@ jobs:
|
||||||
df -h
|
df -h
|
||||||
|
|
||||||
# BlueBuild action wraps: image build, cosign sign (keyless via
|
# BlueBuild action wraps: image build, cosign sign (keyless via
|
||||||
# Sigstore), GHCR push. To pin to a commit SHA in a follow-up
|
# Sigstore), GHCR push. Pinned to a commit SHA per CI hardening
|
||||||
# once the workflow shape stabilises (CI hardening agent 8,
|
# agent 8 (2026-05-05 wave). The trailing comment records the
|
||||||
# 2026-05-05 wave).
|
# tag the SHA resolved from, so future bumps stay legible.
|
||||||
- name: Build + push veilor-os OCI
|
- name: Build + push veilor-os OCI
|
||||||
id: bluebuild
|
id: bluebuild
|
||||||
uses: blue-build/github-action@v1
|
uses: blue-build/github-action@24d146df25adc2cf579e918efe2d9bff6adea408 # v1
|
||||||
with:
|
with:
|
||||||
recipe: bluebuild/recipe.yml
|
recipe: bluebuild/recipe.yml
|
||||||
registry_token: ${{ secrets.GITHUB_TOKEN }}
|
registry_token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue