t.behrendt/renovate-configs
1
0
Fork 0
Code Issues 6 Pull Requests Actions Releases Activity

feat: pin digest of GitHub action updates #2

Merged
t.behrendt merged 1 commits from feat-pin-digest-of-gh-actions into main 2025-10-08 18:54:51 +02:00
Conversation 1 Commits 1 Files Changed 1 +1
t.behrendt commented 2025-10-08 18:51:45 +02:00
Owner
Copy Link

We always want to pin GitHub actions to a digest, to avoid attack vectors where existing tags are being re-used and their implementation replaced with malicious code.
As described in renovate's documentation, adding the "helpers:pinGitHubActionDigests" to the extends automatically forces renovate to always pin digests.

We always want to pin GitHub actions to a digest, to avoid attack vectors where existing tags are being re-used and their implementation replaced with malicious code. As described in [renovate's documentation](https://docs.renovatebot.com/modules/manager/github-actions/#digest-pinning-and-updating), adding the "helpers:pinGitHubActionDigests" to the extends automatically forces renovate to always pin digests.
t.behrendt added 1 commit 2025-10-08 18:51:45 +02:00
feat: pin digest of GitHub action updates
All checks were successful
CI / Test (common.json) (pull_request) Successful in 14s
Details
CI / Test (helm.json) (pull_request) Successful in 13s
Details
CI / Test (docker-compose.json) (pull_request) Successful in 34s
Details
CI / Test (k8s.json) (pull_request) Successful in 12s
Details
CI / Test (action.json) (pull_request) Successful in 1m8s
Details
46bd427217
t.behrendt requested review from branch-buddy 2025-10-08 18:52:46 +02:00
branch-buddy approved these changes 2025-10-08 18:53:42 +02:00
branch-buddy left a comment
Collaborator
Copy Link

LGTM

LGTM
t.behrendt merged commit 4bc8c6e40f into main 2025-10-08 18:54:51 +02:00
t.behrendt deleted branch feat-pin-digest-of-gh-actions 2025-10-08 18:54:51 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
branch-buddy
Labels
Clear labels
bug
Something is not working
 duplicate
This issue or pull request already exists
 enhancement
New feature
 help wanted
Need some help
 invalid
Something is wrong
 question
More information is needed
 wontfix
This won't be fixed
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
branch-buddy renovate-bot t.behrendt
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: t.behrendt/renovate-configs#2
Delete Branch "feat-pin-digest-of-gh-actions"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?