From 445f9e9dacaa6af57cae60de0830c06d5641700b Mon Sep 17 00:00:00 2001 From: Andrea Peruffo Date: Thu, 23 Feb 2023 14:06:03 +0000 Subject: [PATCH] Use commit SHA instead of branch name for third-party actions (#621) Hi! Following the [GH Action Security Hardening](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) guide we should use the commit SHA instead of the `branch` or `tag` for any third-party untrusted action. Co-authored-by: Dimitri Saridakis --- .github/workflows/release.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 81d2da09..930f05f7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,7 +18,8 @@ jobs: - run: yarn install - run: yarn build - name: Inject slug/short variables - uses: rlespinasse/github-slug-action@a362e5fb42057a3a23a62218b050838f1bacca5d #v4 + # v4 + uses: rlespinasse/github-slug-action@a362e5fb42057a3a23a62218b050838f1bacca5d - name: Validate Tag run: yarn semver $GITHUB_REF_SLUG - name: Update versions of packages @@ -28,14 +29,15 @@ jobs: env: NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }} # - name: Install git-chglog - uses: craicoverflow/install-git-chglog@6d338c1d96dcbf12a2115fbe8e5b9817293aae33 #v1 + # v1 - name: Generate changelog run: | echo "CHANGELOG<> $GITHUB_ENV echo "$(git-chglog $GITHUB_REF_SLUG 2> /dev/null || echo '**PRERELEASE**')" >> $GITHUB_ENV echo "EOF" >> $GITHUB_ENV - name: Update Release Notes - uses: meeDamian/github-release@7ae19492500104f636b3fee4d8103af0fed36c8e #2.0 + # 2.0 + uses: meeDamian/github-release@7ae19492500104f636b3fee4d8103af0fed36c8e with: token: ${{ secrets.GITHUB_TOKEN }} body: ${{ env.CHANGELOG }}