Skip to content

ci: pin GitHub Actions to commit SHAs#15

Open
matiasinsaurralde wants to merge 1 commit into
defilantech:mainfrom
matiasinsaurralde:ci/pin-actions
Open

ci: pin GitHub Actions to commit SHAs#15
matiasinsaurralde wants to merge 1 commit into
defilantech:mainfrom
matiasinsaurralde:ci/pin-actions

Conversation

@matiasinsaurralde

Copy link
Copy Markdown

What

Pin third-party GitHub Actions in build.yml, build-coder.yml, and dco.yml to immutable commit SHAs (with version comments) instead of floating tags.

Why

Floating tags can move under us; pinning to SHAs hardens CI supply-chain integrity and keeps Action versions reproducible.

How

Replaced uses: <action>@vX with uses: <action>@<sha> # vX.Y.Z for checkout, Docker setup/build/login/metadata, SBOM, artifact upload, and attest-build-provenance.

Checklist

  • Tier-1 gate passes (./scripts/tier1-gate.sh <image>)
  • If bumping the llama.cpp pin: LLAMACPP_REF and LLAMACPP_SHA updated together
  • All commits are signed off (git commit -s) per DCO

Signed-off-by: Matías Insaurralde <matias@insaurral.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant