GitHub Actions
Overiew
You can check the state of GitHub Action usage in the organization here.
We adhere to GitHub's official recommendations with the following specifications:
Version pinning rules
- If an action is from a trusted publisher:
- pin to a full commit SHA, or
- to a release tag (e.g.
v5) other thanmasterandlatest.
- If an action is from an untrusted publisher:
- pin to a full commit SHA.
- Always prefer pinning to full commit SHAs.
- Use the latest major version of actions whenever possible.
Trusted Publishers
- BYM-IKT: Actions prefixed with
bym-ikt/* - GitHub: Actions prefixed with
actions/* - Docker: Actions prefixed with
docker/* - AWS: Actions prefixed with
aws-actions/* - HashiCorp: Actions prefixed with
hashicorp/* - Slack: Actions prefixed with
slackapi/* - Sonar: Actions prefixed with
SonarSource/* - Datadog: Actions prefixed with
DataDog/* - pnpm: Actions prefixed with
pnpm/*
Warning
Any publisher not listed above is treated as untrusted.
Please contact Team Cloud if you want to update the list of trusted publishers.
Examples
Using actions from a Trusted Publisher
Bad
or
Avoid pinning actions to a unpredictable ref/tag even if the action is from a trusted publisher.Good
or
actions/setup-node is from a trusted publisher, so pinning to a tag (like v5) is allowed.
Pinning to a full commit SHA is still preferred.
Even for trusted publishers, do not pin to master or latest, since these are more volatile.