Skip to content

Pin all GitHub Actions to SHAs#677

Open
fyliu wants to merge 4 commits into
hackforla:mainfrom
fyliu:676-convert-action-tags-to-SHAs
Open

Pin all GitHub Actions to SHAs#677
fyliu wants to merge 4 commits into
hackforla:mainfrom
fyliu:676-convert-action-tags-to-SHAs

Conversation

@fyliu

@fyliu fyliu commented May 20, 2026
edited
Loading

Copy link
Copy Markdown
Member

Fixes #676

What changes did you make?

  • added script (AI-generated) to pin all GitHub Actions to commit SHAs
  • updated workflows to use commit SHAs
  • added documentation for the new script

Why did you make the changes (we will use this info to test)?

  • SHA-pinning is for security, because the action tags can be re-pointed to malicious commits.
  • I had to reorganize the scripts documentation into a folder structure in order to add a page for the script.
  • I figured it's okay to let AI create the script, since it makes small changes that we would look at before committing.

Testing

  • Change .github/workflows/deploy-docs.yml - uses: actions/checkout@... line to - uses actions/checkout@v4 and run the script to see that it writes the SHA for it.

@fyliu fyliu requested a review from benpinhassi May 20, 2026 23:28
@fyliu fyliu moved this to PR Needs review (automated column, do not place items here manually) in P: PD: Project Board May 20, 2026
@fyliu fyliu changed the title script: pin all GitHub Actions to SHAs Pin all GitHub Actions to SHAs May 20, 2026
@fyliu fyliu requested review from bhamrickatmills and removed request for benpinhassi May 20, 2026 23:38
@fyliu fyliu force-pushed the 676-convert-action-tags-to-SHAs branch from 3371c5f to 8c9ad0d Compare May 20, 2026 23:50
@fyliu fyliu self-assigned this May 22, 2026
@fyliu fyliu force-pushed the 676-convert-action-tags-to-SHAs branch 2 times, most recently from ced8c5e to 01bd2cf Compare May 22, 2026 21:48
@fyliu

fyliu commented May 22, 2026
edited
Loading

Copy link
Copy Markdown
Member Author

Pushed a fix for the 4 documentation links warnings.

Suggested changes

Switch autolinks to awesome-links

I'm looking at the autolinks plugin for mkdocs and it doesn't work very well with the awesome-pages plugin. The problem is it doesn't support multiple files named index.md in different directories, so I ended up specifying the full relative path, which defeats the purpose of the plugin.

There's another plugin called awesome-links that supports partial paths such as scripts/index.md and tools/index.md, which is better than autolinks

Update awesome-pages to awesome-nav

Looks like awesome-pages got renamed to awesome-nav, so we should probably switch to that too.

@fyliu

fyliu commented May 22, 2026

Copy link
Copy Markdown
Member Author

Pushed a fix for the 4 documentation links warnings.

Suggested changes

Switch autolinks to awesome-links

I'm looking at the autolinks plugin for mkdocs and it doesn't work very well with the awesome-pages plugin. The problem is it doesn't support multiple files named index.md in different directories, so I ended up specifying the full relative path, which defeats the purpose of the plugin.

There's another plugin called awesome-links that supports partial paths such as scripts/index.md and tools/index.md, which is better than autolinks

Update awesome-pages to awesome-nav

Looks like awesome-pages got renamed to awesome-nav, so we should probably switch to that too. The 2 awesome plugins are by the same developer, which explains why they work well together.

@fyliu fyliu mentioned this pull request May 22, 2026
Open
3 tasks
@fyliu fyliu force-pushed the 676-convert-action-tags-to-SHAs branch from 01bd2cf to f04421f Compare June 11, 2026 21:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bhamrickatmills bhamrickatmills Awaiting requested review from bhamrickatmills

At least 2 approving reviews are required to merge this pull request.

Assignees

@fyliu fyliu

Labels

None yet

Projects

P: PD: Project Board
Status: PR Needs review (automated column, do not place items here manually)

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Make sure all 3rd party GHA are associated with commit IDs

1 participant

@fyliu