Skip to content

pin actions to sha#2814

Draft
davidgamero wants to merge 3 commits intokubernetes-client:mainfrom
davidgamero:pin-actions-to-sha
Draft

pin actions to sha#2814
davidgamero wants to merge 3 commits intokubernetes-client:mainfrom
davidgamero:pin-actions-to-sha

Conversation

@davidgamero
Copy link
Copy Markdown
Contributor

@davidgamero davidgamero commented Mar 27, 2026
edited
Loading

to follow guidance from https://github.com/kubernetes/community/blob/main/github-management/github-actions-policy.md

added zizmor lint step validating SHAs exist and match

if people would prefer to hold off on the lint step i can reduce PR scope to just the pinned SHAs, i added linting to give some way to validate the SHAs are correct

All GitHub Actions MUST be referenced using commit SHA hashes.

using zizmor in the meantime to lint. this will likely be applied via repo/org settings in the future and we can drop that dependency from the test workflow

https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#managing-github-actions-permissions-for-your-repository

@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 27, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Mar 27, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: davidgamero

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 27, 2026
@linux-foundation-easycla
Copy link
Copy Markdown

linux-foundation-easycla bot commented Mar 27, 2026
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@k8s-ci-robot k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Mar 27, 2026
@davidgamero
ci: pin all GitHub Actions to SHAs and add zizmor security linter
8542fa3 
Pin remaining mutable tag references to full commit SHAs with version
comments for traceability. Add zizmor as a CI job to enforce SHA pinning
and detect SHA-to-version-comment mismatches on every push and PR.

Also fix missing @ separator in codeql-analysis.yml analyze action reference.
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Mar 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brendandburns brendandburns Awaiting requested review from brendandburns

@mstruebing mstruebing Awaiting requested review from mstruebing

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@davidgamero @k8s-ci-robot