added the workflow and script to pin commit hash#6497
added the workflow and script to pin commit hash#6497antedotee wants to merge 1 commit intopipe-cd:masterfrom
Conversation
Signed-off-by: antedotee <soniyadav2051982@gmail.com>
antedotee
force-pushed
the
add-commit-hash-workflow
branch
from
1fe0f43 to
575e52a
Compare
|
@khanhtc1202 Please take a look. Instead of raising PR solely for the workflow, the workflow was referencing the local script, so I added the local script here for end to end setup. I have run the script locally and it is working perfectly. If this gets merged, I think I can raise next PR for changing all the tags to commit hashes, and another PR for referencing the changes made in the documentation so that contributors can reference it to know what is going on. |
|
This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days. |
|
I think we should enforce pinning with the native GitHub feature, not implementing the custom solution. WDYT? @khanhtc1202 |
|
This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days. |
|
This PR was closed because it has been stalled for 7 days with no activity. Feel free to reopen if still applicable. |
2 participants
What this PR does:
This PR introduces a workflow and a script which will ensure every tag is pinned to the commit hash. If anything uses tag and not a commit hash, the workflow will fail and will tell you to run
hack/gha-reversemap.sh apply-reversemaplocally. I have also added.gha-reversemap.ymlwhich will act as a single source of truth for approved hashes.Why we need it:
For security purposes, makes the supply chain auditable
Which issue(s) this PR fixes:
Fixes #6492