domodwyer opened a new pull request, #270: URL: https://github.com/apache/skywalking-eyes/pull/270
Hi there! We use this very handy GitHub action in our public GitHub repo (thank you!) and until now we've had to [add an exception](https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/) for an unpinned `actions/setup-go` in our GitHub config to allow it to be used without a SHA pin. We don't actually use this `actions/setup-go` action ourselves - it's purely part of the dependency tree because of the import in `apache/skywalking-eyes/header`. Given the recent supply chain attacks ([1], [2]) exploiting 3rd party actions, we're hoping to remove all allow-list exceptions and require SHA pins for everything, unblocking us to enable "require all actions to be pinned" on our repo. This PR allows us (and likely others!) opt into this extra repo security by: * Pinning the `actions/setup-go` usage to a specific SHA commit instead of a tag * (additional extra, happy to drop) Hardens the inputs to prevent command injection I realise `actions/setup-go` is an official action and unlikely to be compromised, but adding the SHA pin doesn't require any tradeoffs for the increased certainty / security. [1]: https://www.trendmicro.com/en_us/research/26/c/inside-litellm-supply-chain-compromise.html [2]: https://www.paloaltonetworks.com/blog/cloud-security/trivy-supply-chain-attack/ --- * ci(action): pin actions/setup-go dependency (f7388a4) This commit switches the actions/setup-go dependency to use a commit hash pin instead of a (mutable) tag. This is considered best practice, and the official docs[1] state: Using the commit SHA of a released action version is the safest for stability and security. [1]: https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idstepsuses * ci(action): harden license-eye cmd arg inputs (46ef8e0) While these inputs are (likely) not attacker controlled, passing them via env vars ensures they are appropriately quoted / escaped.[1] This prevents command injection if a user of the action happens to be passing user-controlled inputs into the header action. [1]: https://docs.zizmor.sh/audits/#template-injection -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
