Merge pull request #17458 from thispsj/actions-sha

Adds recommendation of SHA Pinning to example workflows
2025-12-30 12:02:01 -05:00 · 2022-07-26 15:55:20 -04:00
parent 4c966f9222 a872d78462
commit 58f888dd95
26 changed files with 78 additions and 3 deletions
--- a/content/actions/automating-builds-and-tests/building-and-testing-java-with-gradle.md
+++ b/content/actions/automating-builds-and-tests/building-and-testing-java-with-gradle.md
@@ -51,6 +51,8 @@ You can also add this workflow manually by creating a new file in the `.github/w
 ```yaml{:copy}
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Java CI

 on: [push]
--- a/content/actions/automating-builds-and-tests/building-and-testing-python.md
+++ b/content/actions/automating-builds-and-tests/building-and-testing-python.md
@@ -380,6 +380,8 @@ For this example, you will need to create two [PyPI API tokens](https://pypi.org
 ```yaml{:copy}
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Upload Python Package

 on:
--- a/content/actions/automating-builds-and-tests/building-and-testing-ruby.md
+++ b/content/actions/automating-builds-and-tests/building-and-testing-ruby.md
@@ -38,6 +38,8 @@ To get started quickly, add the starter workflow to the `.github/workflows` dire
 ```yaml
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Ruby

 on:
@@ -102,6 +104,8 @@ The full updated workflow with a matrix strategy could look like this:
 ```yaml
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Ruby CI

 on:
@@ -206,6 +210,8 @@ The following example matrix tests all stable releases and head versions of MRI,
 ```yaml
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Matrix Testing

 on:
@@ -239,6 +245,8 @@ The following example installs `rubocop` and uses it to lint all files. For more
 ```yaml
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Linting

 on: [push]
@@ -265,6 +273,8 @@ You can store any access tokens or credentials needed to publish your package us
 ```yaml
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Ruby Gem

 on:
--- a/content/actions/automating-builds-and-tests/building-and-testing-swift.md
+++ b/content/actions/automating-builds-and-tests/building-and-testing-swift.md
@@ -68,8 +68,12 @@ The examples below demonstrate using the `fwal/setup-swift` action.
 You can configure your job to use multiple versions of Swift in a matrix.

 ```yaml{:copy}
+
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
+
 name: Swift

 on: [push]
--- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-amazon-elastic-container-service.md
+++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-amazon-elastic-container-service.md
@@ -93,6 +93,8 @@ Ensure that you provide your own values for all the variables in the `env` key o
 ```yaml{:copy}
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Deploy to Amazon ECS

 on:
--- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-docker-to-azure-app-service.md
+++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-docker-to-azure-app-service.md
@@ -81,6 +81,8 @@ Ensure that you set `AZURE_WEBAPP_NAME` in the workflow `env` key to the name of
 ```yaml{:copy}
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Build and deploy a container to an Azure Web App

 env:
--- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-java-to-azure-app-service.md
+++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-java-to-azure-app-service.md
@@ -67,6 +67,8 @@ Ensure that you set `AZURE_WEBAPP_NAME` in the workflow `env` key to the name of
 ```yaml{:copy}
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Build and deploy JAR app to Azure Web App

 env:
--- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-net-to-azure-app-service.md
+++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-net-to-azure-app-service.md
@@ -66,6 +66,8 @@ Ensure that you set `AZURE_WEBAPP_NAME` in the workflow `env` key to the name of
 ```yaml{:copy}
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Build and deploy ASP.Net Core app to an Azure Web App

 env:
--- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-nodejs-to-azure-app-service.md
+++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-nodejs-to-azure-app-service.md
@@ -72,6 +72,8 @@ Ensure that you set `AZURE_WEBAPP_NAME` in the workflow `env` key to the name of
 ```yaml{:copy}
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 on:
  push:
    branches:
--- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-php-to-azure-app-service.md
+++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-php-to-azure-app-service.md
@@ -66,6 +66,8 @@ Ensure that you set `AZURE_WEBAPP_NAME` in the workflow `env` key to the name of
 ```yaml{:copy}
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Build and deploy PHP app to Azure Web App

 env:
--- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-python-to-azure-app-service.md
+++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-python-to-azure-app-service.md
@@ -69,6 +69,8 @@ Ensure that you set `AZURE_WEBAPP_NAME` in the workflow `env` key to the name of
 ```yaml{:copy}
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Build and deploy Python app to Azure Web App

 env:
--- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-to-azure-kubernetes-service.md
+++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-to-azure-kubernetes-service.md
@@ -55,6 +55,8 @@ This workflow uses the `helm` render engine for the [`azure/k8s-bake` action](ht
 ```yaml{:copy}
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Build and deploy to Azure Kubernetes Service

 env:
--- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-to-azure-static-web-app.md
+++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-to-azure-static-web-app.md
@@ -54,6 +54,8 @@ For more information about these values, see "[Build configuration for Azure Sta
 ```yaml{:copy}
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Deploy web app to Azure Static Web Apps

 env:
--- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-google-kubernetes-engine.md
+++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-google-kubernetes-engine.md
@@ -137,6 +137,8 @@ Under the `env` key, change the value of `GKE_CLUSTER` to the name of your clust
 ```yaml{:copy}
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Build and Deploy to GKE

 on:
--- a/content/actions/managing-issues-and-pull-requests/adding-labels-to-issues.md
+++ b/content/actions/managing-issues-and-pull-requests/adding-labels-to-issues.md
@@ -32,6 +32,8 @@ In the tutorial, you will first make a workflow file that uses the [`andymckay/l
    ```yaml{:copy}
 {% indented_data_reference reusables.actions.actions-not-certified-by-github-comment spaces=4 %}

+{% indented_data_reference reusables.actions.actions-use-sha-pinning-comment spaces=4 %}
+
    name: Label issues
    on:
      issues:
--- a/content/actions/managing-issues-and-pull-requests/commenting-on-an-issue-when-a-label-is-added.md
+++ b/content/actions/managing-issues-and-pull-requests/commenting-on-an-issue-when-a-label-is-added.md
@@ -33,6 +33,8 @@ In the tutorial, you will first make a workflow file that uses the [`peter-evans
    ```yaml{:copy}
 {% indented_data_reference reusables.actions.actions-not-certified-by-github-comment spaces=4 %}

+{% indented_data_reference reusables.actions.actions-use-sha-pinning-comment spaces=4 %}
+
    name: Add comment
    on:
      issues:
--- a/content/actions/managing-issues-and-pull-requests/moving-assigned-issues-on-project-boards.md
+++ b/content/actions/managing-issues-and-pull-requests/moving-assigned-issues-on-project-boards.md
@@ -34,6 +34,8 @@ In the tutorial, you will first make a workflow file that uses the [`alex-page/g
    ```yaml{:copy}
 {% indented_data_reference reusables.actions.actions-not-certified-by-github-comment spaces=4 %}

+{% indented_data_reference reusables.actions.actions-use-sha-pinning-comment spaces=4 %}
+
    name: Move assigned card
    on:
      issues:
--- a/content/actions/managing-issues-and-pull-requests/removing-a-label-when-a-card-is-added-to-a-project-board-column.md
+++ b/content/actions/managing-issues-and-pull-requests/removing-a-label-when-a-card-is-added-to-a-project-board-column.md
@@ -30,10 +30,11 @@ In the tutorial, you will first make a workflow file that uses the [`andymckay/l
 2. Choose a project that belongs to the repository. This workflow cannot be used with projects that belong to users or organizations. You can use an existing project, or you can create a new project. For more information about creating a project, see "[Creating a project board](/github/managing-your-work-on-github/creating-a-project-board)."
 3. {% data reusables.actions.make-workflow-file %}
 4. Copy the following YAML contents into your workflow file.
-
    ```yaml{:copy}
 {% indented_data_reference reusables.actions.actions-not-certified-by-github-comment spaces=4 %}

+{% indented_data_reference reusables.actions.actions-use-sha-pinning-comment spaces=4 %}
+
    name: Remove labels
    on:
      project_card:
--- a/content/actions/managing-issues-and-pull-requests/scheduling-issue-creation.md
+++ b/content/actions/managing-issues-and-pull-requests/scheduling-issue-creation.md
@@ -32,6 +32,8 @@ In the tutorial, you will first make a workflow file that uses the [`imjohnbo/is
    ```yaml{:copy}
 {% indented_data_reference reusables.actions.actions-not-certified-by-github-comment spaces=4 %}

+{% indented_data_reference reusables.actions.actions-use-sha-pinning-comment spaces=4 %}
+    
    name: Weekly Team Sync
    on:
      schedule:
--- a/content/actions/migrating-to-github-actions/migrating-from-circleci-to-github-actions.md
+++ b/content/actions/migrating-to-github-actions/migrating-from-circleci-to-github-actions.md
@@ -409,6 +409,8 @@ workflows:
 ```yaml
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Containers

 on: [push]
--- a/content/actions/publishing-packages/publishing-docker-images.md
+++ b/content/actions/publishing-packages/publishing-docker-images.md
@@ -69,6 +69,8 @@ The `build-push-action` options required for Docker Hub are:
 ```yaml{:copy}
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Publish Docker image

 on:
@@ -142,9 +144,12 @@ The `build-push-action` options required for {% data variables.product.prodname_
 The above workflow is triggered by a push to the "release" branch. It checks out the GitHub repository, and uses the `login-action` to log in to the {% data variables.product.prodname_container_registry %}. It then extracts labels and tags for the Docker image. Finally, it uses the `build-push-action` action to build the image and publish it on the {% data variables.product.prodname_container_registry %}.

 {% else %}
+
 ```yaml{:copy}
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Publish Docker image

 on:
@@ -194,6 +199,8 @@ The following example workflow uses the steps from the previous sections ("[Publ
 ```yaml{:copy}
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Publish Docker image

 on:
--- a/content/actions/publishing-packages/publishing-java-packages-with-gradle.md
+++ b/content/actions/publishing-packages/publishing-java-packages-with-gradle.md
@@ -77,8 +77,11 @@ publishing {
 With this configuration, you can create a workflow that publishes your package to the Maven Central Repository by running the `gradle publish` command. In the deploy step, you’ll need to set environment variables for the username and password or token that you use to authenticate to the Maven repository. For more information, see "[Creating and using encrypted secrets](/github/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)."

 ```yaml{:copy}
+
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Publish package to the Maven Central Repository
 on:
  release:
@@ -146,8 +149,11 @@ publishing {
 With this configuration, you can create a workflow that publishes your package to {% data variables.product.prodname_registry %} by running the `gradle publish` command.

 ```yaml{:copy}
+
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Publish package to GitHub Packages
 on:
  release:
@@ -224,8 +230,11 @@ publishing {
 With this configuration, you can create a workflow that publishes your package to both the Maven Central Repository and {% data variables.product.prodname_registry %} by running the `gradle publish` command.

 ```yaml{:copy}
+
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Publish package to the Maven Central Repository and GitHub Packages
 on:
  release:
--- a/content/issues/trying-out-the-new-projects-experience/automating-projects.md
+++ b/content/issues/trying-out-the-new-projects-experience/automating-projects.md
@@ -66,6 +66,8 @@ For more information about other changes you can make to your project through th
 ```yaml{:copy}
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Add PR to project
 on:
  pull_request:
--- a/content/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions.md
+++ b/content/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions.md
@@ -89,11 +89,14 @@ Create a new workflow file in your repository (such as `.github/workflows/deploy
 {% data reusables.package_registry.publish-docker-image %}

 {% else %}
-```yaml{:copy}
-name: Create and publish a Docker image

+```yaml{:copy}
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
+name: Create and publish a Docker image
+
 on:
  push:
    branches: ['release']
--- a/data/reusables/actions/actions-use-sha-pinning-comment.md
+++ b/data/reusables/actions/actions-use-sha-pinning-comment.md
@@ -0,0 +1,3 @@
+# GitHub recommends pinning actions to a commit SHA.
+# To get a newer version, you will need to update the SHA.
+# You can also reference a tag or branch, but the action may change without warning.
--- a/data/reusables/package_registry/publish-docker-image.md
+++ b/data/reusables/package_registry/publish-docker-image.md
@@ -1,6 +1,8 @@
 ```yaml{:copy}
 {% data reusables.actions.actions-not-certified-by-github-comment %}

+{% data reusables.actions.actions-use-sha-pinning-comment %}
+
 name: Create and publish a Docker image

 on: