Skip to content

Use commit hashes for GitHub Action versions #388

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 22, 2025

Conversation

bestbeforetoday
Copy link
Member

Closes #387

Copy link

@bestbeforetoday bestbeforetoday marked this pull request as ready for review July 21, 2025 21:35
@bestbeforetoday bestbeforetoday requested a review from a team as a code owner July 21, 2025 21:35
@denyeart
Copy link
Contributor

I had been holding out on using commit hashes for github actions as I didn't know if the benefits warranted the additional maintenance, at least for github provided actions where the risk is low. For third party actions I agree there is more risk and therefore more reason to do so.

We could also decide to do it for release actions but not other actions since the stakes are higher for release actions.

This is probably a decision that should span all repositories, so just wanted to pause a moment and collect thoughts before merging.

@bestbeforetoday
Copy link
Member Author

My intention was to also enable dependabot for the GitHub Actions ecosystem, which means that dependabot deals with keeping the hashes up-to-date with the latest release and it is no effort (other than merging dependabot PRs) for maintainers. I am already doing this successfully for the fabric-gateway repository.

@denyeart
Copy link
Contributor

Ok sounds good.

@denyeart denyeart merged commit c56793c into hyperledger:main Jul 22, 2025
10 checks passed
@bestbeforetoday bestbeforetoday deleted the action-hashes branch July 22, 2025 12:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Reference action versions by hash in GitHub Actions workflows
2 participants