Use commit SHA instead of branch name for third-party actions (#621)

Hi! Following the [GH Action Security Hardening](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) guide we should use the commit SHA instead of the `branch` or `tag` for any third-party untrusted action. Co-authored-by: Dimitri Saridakis <[email protected]>
redhat-developer · Feb 23, 2023 · 445f9e9 · 445f9e9
1 parent 06eca0e
commit 445f9e9
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,7 +18,8 @@ jobs:
       - run: yarn install
       - run: yarn build
       - name: Inject slug/short variables
-        uses: rlespinasse/github-slug-action@a362e5fb42057a3a23a62218b050838f1bacca5d #v4
+        # v4
+        uses: rlespinasse/github-slug-action@a362e5fb42057a3a23a62218b050838f1bacca5d
       - name: Validate Tag
         run: yarn semver $GITHUB_REF_SLUG
       - name: Update versions of packages
@@ -28,14 +29,15 @@ jobs:
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }} #
       - name: Install git-chglog
-        uses: craicoverflow/install-git-chglog@6d338c1d96dcbf12a2115fbe8e5b9817293aae33 #v1
+        # v1
       - name: Generate changelog
         run: |
           echo "CHANGELOG<<EOF" >> $GITHUB_ENV
           echo "$(git-chglog $GITHUB_REF_SLUG 2> /dev/null || echo '**PRERELEASE**')" >> $GITHUB_ENV
           echo "EOF" >> $GITHUB_ENV
       - name: Update Release Notes
-        uses: meeDamian/github-release@7ae19492500104f636b3fee4d8103af0fed36c8e #2.0
+        # 2.0
+        uses: meeDamian/github-release@7ae19492500104f636b3fee4d8103af0fed36c8e
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           body: ${{ env.CHANGELOG }}