There has been various supply chain attacks in upstream project via workflows which automatically use latest version of the build dependencies.
So instead having
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
maybe instead doing this always per hand, a simple script which would be great, which has
a input file
the config file should be under .github and in yaml format .github/action-versions.yaml
actions/checkout: 08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
actions/upload-artifact: [ref] #v5.0.0
the script should be in ./scripts/update-workflows.sh and should have two commands.
- The first command update-version: this is to update the
action-versions.yaml
- The second command update-workflows: this updates the workflows with the versions from
action-version.yaml
There has been various supply chain attacks in upstream project via workflows which automatically use latest version of the build dependencies.
So instead having
maybe instead doing this always per hand, a simple script which would be great, which has
a input file
the config file should be under .github and in yaml format
.github/action-versions.yamlthe script should be in
./scripts/update-workflows.shand should have two commands.action-versions.yamlaction-version.yaml