diff --git a/content/actions/automating-builds-and-tests/building-and-testing-java-with-gradle.md b/content/actions/automating-builds-and-tests/building-and-testing-java-with-gradle.md index 045e60c640..c1f0c30d86 100644 --- a/content/actions/automating-builds-and-tests/building-and-testing-java-with-gradle.md +++ b/content/actions/automating-builds-and-tests/building-and-testing-java-with-gradle.md @@ -51,6 +51,8 @@ You can also add this workflow manually by creating a new file in the `.github/w ```yaml{:copy} {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Java CI on: [push] diff --git a/content/actions/automating-builds-and-tests/building-and-testing-python.md b/content/actions/automating-builds-and-tests/building-and-testing-python.md index 19b883c4ce..505c47e3bd 100644 --- a/content/actions/automating-builds-and-tests/building-and-testing-python.md +++ b/content/actions/automating-builds-and-tests/building-and-testing-python.md @@ -380,6 +380,8 @@ For this example, you will need to create two [PyPI API tokens](https://pypi.org ```yaml{:copy} {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Upload Python Package on: diff --git a/content/actions/automating-builds-and-tests/building-and-testing-ruby.md b/content/actions/automating-builds-and-tests/building-and-testing-ruby.md index 226e8244e9..3f74c5ae1f 100644 --- a/content/actions/automating-builds-and-tests/building-and-testing-ruby.md +++ b/content/actions/automating-builds-and-tests/building-and-testing-ruby.md @@ -38,6 +38,8 @@ To get started quickly, add the starter workflow to the `.github/workflows` dire ```yaml {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Ruby on: @@ -102,6 +104,8 @@ The full updated workflow with a matrix strategy could look like this: ```yaml {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Ruby CI on: @@ -206,6 +210,8 @@ The following example matrix tests all stable releases and head versions of MRI, ```yaml {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Matrix Testing on: @@ -239,6 +245,8 @@ The following example installs `rubocop` and uses it to lint all files. For more ```yaml {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Linting on: [push] @@ -265,6 +273,8 @@ You can store any access tokens or credentials needed to publish your package us ```yaml {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Ruby Gem on: diff --git a/content/actions/automating-builds-and-tests/building-and-testing-swift.md b/content/actions/automating-builds-and-tests/building-and-testing-swift.md index b40251f299..3b59e1444d 100644 --- a/content/actions/automating-builds-and-tests/building-and-testing-swift.md +++ b/content/actions/automating-builds-and-tests/building-and-testing-swift.md @@ -68,8 +68,12 @@ The examples below demonstrate using the `fwal/setup-swift` action. You can configure your job to use multiple versions of Swift in a matrix. ```yaml{:copy} + {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + + name: Swift on: [push] diff --git a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-amazon-elastic-container-service.md b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-amazon-elastic-container-service.md index 45f63321be..84cdd1d133 100644 --- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-amazon-elastic-container-service.md +++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-amazon-elastic-container-service.md @@ -93,6 +93,8 @@ Ensure that you provide your own values for all the variables in the `env` key o ```yaml{:copy} {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Deploy to Amazon ECS on: diff --git a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-docker-to-azure-app-service.md b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-docker-to-azure-app-service.md index 14ede98c30..d66f1f1042 100644 --- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-docker-to-azure-app-service.md +++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-docker-to-azure-app-service.md @@ -81,6 +81,8 @@ Ensure that you set `AZURE_WEBAPP_NAME` in the workflow `env` key to the name of ```yaml{:copy} {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Build and deploy a container to an Azure Web App env: diff --git a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-java-to-azure-app-service.md b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-java-to-azure-app-service.md index 4b605311d1..b422a8616e 100644 --- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-java-to-azure-app-service.md +++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-java-to-azure-app-service.md @@ -67,6 +67,8 @@ Ensure that you set `AZURE_WEBAPP_NAME` in the workflow `env` key to the name of ```yaml{:copy} {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Build and deploy JAR app to Azure Web App env: diff --git a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-net-to-azure-app-service.md b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-net-to-azure-app-service.md index ab947e0ee3..c73baa565f 100644 --- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-net-to-azure-app-service.md +++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-net-to-azure-app-service.md @@ -66,6 +66,8 @@ Ensure that you set `AZURE_WEBAPP_NAME` in the workflow `env` key to the name of ```yaml{:copy} {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Build and deploy ASP.Net Core app to an Azure Web App env: diff --git a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-nodejs-to-azure-app-service.md b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-nodejs-to-azure-app-service.md index e8872ae208..62f375ae5f 100644 --- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-nodejs-to-azure-app-service.md +++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-nodejs-to-azure-app-service.md @@ -72,6 +72,8 @@ Ensure that you set `AZURE_WEBAPP_NAME` in the workflow `env` key to the name of ```yaml{:copy} {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + on: push: branches: diff --git a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-php-to-azure-app-service.md b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-php-to-azure-app-service.md index 184e91037b..1d78d3472f 100644 --- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-php-to-azure-app-service.md +++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-php-to-azure-app-service.md @@ -66,6 +66,8 @@ Ensure that you set `AZURE_WEBAPP_NAME` in the workflow `env` key to the name of ```yaml{:copy} {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Build and deploy PHP app to Azure Web App env: diff --git a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-python-to-azure-app-service.md b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-python-to-azure-app-service.md index 001363a2ab..f6df68d09d 100644 --- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-python-to-azure-app-service.md +++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-python-to-azure-app-service.md @@ -69,6 +69,8 @@ Ensure that you set `AZURE_WEBAPP_NAME` in the workflow `env` key to the name of ```yaml{:copy} {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Build and deploy Python app to Azure Web App env: diff --git a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-to-azure-kubernetes-service.md b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-to-azure-kubernetes-service.md index 18ef3bcf32..11adc9d61f 100644 --- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-to-azure-kubernetes-service.md +++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-to-azure-kubernetes-service.md @@ -55,6 +55,8 @@ This workflow uses the `helm` render engine for the [`azure/k8s-bake` action](ht ```yaml{:copy} {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Build and deploy to Azure Kubernetes Service env: diff --git a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-to-azure-static-web-app.md b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-to-azure-static-web-app.md index 26fce6009b..a095dc80db 100644 --- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-to-azure-static-web-app.md +++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure/deploying-to-azure-static-web-app.md @@ -54,6 +54,8 @@ For more information about these values, see "[Build configuration for Azure Sta ```yaml{:copy} {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Deploy web app to Azure Static Web Apps env: diff --git a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-google-kubernetes-engine.md b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-google-kubernetes-engine.md index 8cf7d7b541..2670c978ea 100644 --- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-google-kubernetes-engine.md +++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-google-kubernetes-engine.md @@ -137,6 +137,8 @@ Under the `env` key, change the value of `GKE_CLUSTER` to the name of your clust ```yaml{:copy} {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Build and Deploy to GKE on: diff --git a/content/actions/managing-issues-and-pull-requests/adding-labels-to-issues.md b/content/actions/managing-issues-and-pull-requests/adding-labels-to-issues.md index bb3d84c987..2f25143b34 100644 --- a/content/actions/managing-issues-and-pull-requests/adding-labels-to-issues.md +++ b/content/actions/managing-issues-and-pull-requests/adding-labels-to-issues.md @@ -32,6 +32,8 @@ In the tutorial, you will first make a workflow file that uses the [`andymckay/l ```yaml{:copy} {% indented_data_reference reusables.actions.actions-not-certified-by-github-comment spaces=4 %} +{% indented_data_reference reusables.actions.actions-use-sha-pinning-comment spaces=4 %} + name: Label issues on: issues: diff --git a/content/actions/managing-issues-and-pull-requests/commenting-on-an-issue-when-a-label-is-added.md b/content/actions/managing-issues-and-pull-requests/commenting-on-an-issue-when-a-label-is-added.md index 1a9ad45227..c5dca39359 100644 --- a/content/actions/managing-issues-and-pull-requests/commenting-on-an-issue-when-a-label-is-added.md +++ b/content/actions/managing-issues-and-pull-requests/commenting-on-an-issue-when-a-label-is-added.md @@ -33,6 +33,8 @@ In the tutorial, you will first make a workflow file that uses the [`peter-evans ```yaml{:copy} {% indented_data_reference reusables.actions.actions-not-certified-by-github-comment spaces=4 %} +{% indented_data_reference reusables.actions.actions-use-sha-pinning-comment spaces=4 %} + name: Add comment on: issues: diff --git a/content/actions/managing-issues-and-pull-requests/moving-assigned-issues-on-project-boards.md b/content/actions/managing-issues-and-pull-requests/moving-assigned-issues-on-project-boards.md index 9dd033ac14..bd7a9e6115 100644 --- a/content/actions/managing-issues-and-pull-requests/moving-assigned-issues-on-project-boards.md +++ b/content/actions/managing-issues-and-pull-requests/moving-assigned-issues-on-project-boards.md @@ -34,6 +34,8 @@ In the tutorial, you will first make a workflow file that uses the [`alex-page/g ```yaml{:copy} {% indented_data_reference reusables.actions.actions-not-certified-by-github-comment spaces=4 %} +{% indented_data_reference reusables.actions.actions-use-sha-pinning-comment spaces=4 %} + name: Move assigned card on: issues: diff --git a/content/actions/managing-issues-and-pull-requests/removing-a-label-when-a-card-is-added-to-a-project-board-column.md b/content/actions/managing-issues-and-pull-requests/removing-a-label-when-a-card-is-added-to-a-project-board-column.md index 7a46d89cbd..011d5dde4e 100644 --- a/content/actions/managing-issues-and-pull-requests/removing-a-label-when-a-card-is-added-to-a-project-board-column.md +++ b/content/actions/managing-issues-and-pull-requests/removing-a-label-when-a-card-is-added-to-a-project-board-column.md @@ -30,10 +30,11 @@ In the tutorial, you will first make a workflow file that uses the [`andymckay/l 2. Choose a project that belongs to the repository. This workflow cannot be used with projects that belong to users or organizations. You can use an existing project, or you can create a new project. For more information about creating a project, see "[Creating a project board](/github/managing-your-work-on-github/creating-a-project-board)." 3. {% data reusables.actions.make-workflow-file %} 4. Copy the following YAML contents into your workflow file. - ```yaml{:copy} {% indented_data_reference reusables.actions.actions-not-certified-by-github-comment spaces=4 %} +{% indented_data_reference reusables.actions.actions-use-sha-pinning-comment spaces=4 %} + name: Remove labels on: project_card: diff --git a/content/actions/managing-issues-and-pull-requests/scheduling-issue-creation.md b/content/actions/managing-issues-and-pull-requests/scheduling-issue-creation.md index a09bdb50b6..ed254e6440 100644 --- a/content/actions/managing-issues-and-pull-requests/scheduling-issue-creation.md +++ b/content/actions/managing-issues-and-pull-requests/scheduling-issue-creation.md @@ -32,6 +32,8 @@ In the tutorial, you will first make a workflow file that uses the [`imjohnbo/is ```yaml{:copy} {% indented_data_reference reusables.actions.actions-not-certified-by-github-comment spaces=4 %} +{% indented_data_reference reusables.actions.actions-use-sha-pinning-comment spaces=4 %} + name: Weekly Team Sync on: schedule: diff --git a/content/actions/migrating-to-github-actions/migrating-from-circleci-to-github-actions.md b/content/actions/migrating-to-github-actions/migrating-from-circleci-to-github-actions.md index 9ce7cc4df9..aaa3465ccd 100644 --- a/content/actions/migrating-to-github-actions/migrating-from-circleci-to-github-actions.md +++ b/content/actions/migrating-to-github-actions/migrating-from-circleci-to-github-actions.md @@ -409,6 +409,8 @@ workflows: ```yaml {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Containers on: [push] diff --git a/content/actions/publishing-packages/publishing-docker-images.md b/content/actions/publishing-packages/publishing-docker-images.md index 67ac7fa7e1..a2c1dcdb96 100644 --- a/content/actions/publishing-packages/publishing-docker-images.md +++ b/content/actions/publishing-packages/publishing-docker-images.md @@ -69,6 +69,8 @@ The `build-push-action` options required for Docker Hub are: ```yaml{:copy} {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Publish Docker image on: @@ -142,9 +144,12 @@ The `build-push-action` options required for {% data variables.product.prodname_ The above workflow is triggered by a push to the "release" branch. It checks out the GitHub repository, and uses the `login-action` to log in to the {% data variables.product.prodname_container_registry %}. It then extracts labels and tags for the Docker image. Finally, it uses the `build-push-action` action to build the image and publish it on the {% data variables.product.prodname_container_registry %}. {% else %} + ```yaml{:copy} {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Publish Docker image on: @@ -194,6 +199,8 @@ The following example workflow uses the steps from the previous sections ("[Publ ```yaml{:copy} {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Publish Docker image on: diff --git a/content/actions/publishing-packages/publishing-java-packages-with-gradle.md b/content/actions/publishing-packages/publishing-java-packages-with-gradle.md index 4e039f555f..d656f4ed78 100644 --- a/content/actions/publishing-packages/publishing-java-packages-with-gradle.md +++ b/content/actions/publishing-packages/publishing-java-packages-with-gradle.md @@ -77,8 +77,11 @@ publishing { With this configuration, you can create a workflow that publishes your package to the Maven Central Repository by running the `gradle publish` command. In the deploy step, you’ll need to set environment variables for the username and password or token that you use to authenticate to the Maven repository. For more information, see "[Creating and using encrypted secrets](/github/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)." ```yaml{:copy} + {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Publish package to the Maven Central Repository on: release: @@ -146,8 +149,11 @@ publishing { With this configuration, you can create a workflow that publishes your package to {% data variables.product.prodname_registry %} by running the `gradle publish` command. ```yaml{:copy} + {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Publish package to GitHub Packages on: release: @@ -224,8 +230,11 @@ publishing { With this configuration, you can create a workflow that publishes your package to both the Maven Central Repository and {% data variables.product.prodname_registry %} by running the `gradle publish` command. ```yaml{:copy} + {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Publish package to the Maven Central Repository and GitHub Packages on: release: diff --git a/content/issues/trying-out-the-new-projects-experience/automating-projects.md b/content/issues/trying-out-the-new-projects-experience/automating-projects.md index 3a1e6fd91c..0fb4d7c983 100644 --- a/content/issues/trying-out-the-new-projects-experience/automating-projects.md +++ b/content/issues/trying-out-the-new-projects-experience/automating-projects.md @@ -66,6 +66,8 @@ For more information about other changes you can make to your project through th ```yaml{:copy} {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Add PR to project on: pull_request: diff --git a/content/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions.md b/content/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions.md index 975af20119..abf40d8435 100644 --- a/content/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions.md +++ b/content/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions.md @@ -89,11 +89,14 @@ Create a new workflow file in your repository (such as `.github/workflows/deploy {% data reusables.package_registry.publish-docker-image %} {% else %} -```yaml{:copy} -name: Create and publish a Docker image +```yaml{:copy} {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + +name: Create and publish a Docker image + on: push: branches: ['release'] diff --git a/data/reusables/actions/actions-use-sha-pinning-comment.md b/data/reusables/actions/actions-use-sha-pinning-comment.md new file mode 100644 index 0000000000..b3a3c95421 --- /dev/null +++ b/data/reusables/actions/actions-use-sha-pinning-comment.md @@ -0,0 +1,3 @@ +# GitHub recommends pinning actions to a commit SHA. +# To get a newer version, you will need to update the SHA. +# You can also reference a tag or branch, but the action may change without warning. diff --git a/data/reusables/package_registry/publish-docker-image.md b/data/reusables/package_registry/publish-docker-image.md index be03c6a689..a0a12f644b 100644 --- a/data/reusables/package_registry/publish-docker-image.md +++ b/data/reusables/package_registry/publish-docker-image.md @@ -1,6 +1,8 @@ ```yaml{:copy} {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} + name: Create and publish a Docker image on: