Enable OpenSSF Scorecard Github Action#7404
Enable OpenSSF Scorecard Github Action#7404dmcgowan merged 1 commit intocontainerd:mainfrom joycebrum:main
Conversation
|
Hi @joycebrum. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
|
||
| steps: | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 |
There was a problem hiding this comment.
How about using tags instead of SHA1 digests? Existing actions generally use tags.
There was a problem hiding this comment.
Hi @kzys , the OpenSSF recommends pinning to hashes instead of versions in order to protect against tag-renaming attacks (whereby an attacker hijacks an action, uploads a malicious version and replaces an existing tag with the malicious version).
However, we're aware there are pros and cons to this approach, so if you still prefer I can modify the workflow to use versions instead of hashes.
samuelkarp
left a comment
samuelkarp
left a comment
There was a problem hiding this comment.
Thanks for removing the badge and upload. Please squash the four commits into one or remove the three no-op commits; we don't need them to remain in our git history.
Signed-off-by: Joyce Brum <[email protected]>
6 participants
Hi, I've openned the PR in the wrong repo (containerd/project#91 and containerd/project#92)
Here is the activation of the Scorecard Github Action and Badge to the containerd correct repo.
Thanks!