Spaces:
Running on CPU Upgrade
🔒 Pin GitHub Actions to commit SHAs (#105)
Browse files## 🔒 Pin GitHub Actions to commit SHAs
This PR pins all GitHub Actions to their exact commit SHA instead of
mutable tags or branch names.
**Why?**
Pinning to a SHA prevents supply chain attacks where a tag (e.g. `v4`)
could be moved to point to malicious code.
### Changes
| Workflow | Action | Avant | Après | SHA |
|---|---|---|---|---|
| `deploy-to-spaces.yml` | `actions/checkout` | `v3` | `v6.0.2` |
`de0fac2e4500…` |
| `deploy-to-spaces.yml` | `actions/setup-node` | `v3` | `v3` |
`3235b876344d…` |
| `deploy-to-spaces.yml` | `pnpm/action-setup` | `v2` | `v2` |
`eae0cfeb286e…` |
| `deploy-to-spaces.yml` | `actions/cache` | `v3` | `v3` |
`6f8efc29b200…` |
| `deploy-to-spaces.yml` | `actions/checkout` | `v3` | `v6.0.2` |
`de0fac2e4500…` |
> 🤖 Generated by `/github-actions-audit` — [security/pin-actions-to-sha]
Closes huggingface/tracking-issues#151
|
@@ -11,12 +11,12 @@ jobs:
|
|
| 11 |
runs-on: ubuntu-latest
|
| 12 |
timeout-minutes: 10
|
| 13 |
steps:
|
| 14 |
-
- uses: actions/checkout@
|
| 15 |
-
- uses: actions/setup-node@v3
|
| 16 |
with:
|
| 17 |
node-version: "20"
|
| 18 |
- name: Install pnpm
|
| 19 |
-
uses: pnpm/action-setup@v2
|
| 20 |
with:
|
| 21 |
version: latest
|
| 22 |
run_install: false
|
|
@@ -25,7 +25,7 @@ jobs:
|
|
| 25 |
shell: bash
|
| 26 |
run: |
|
| 27 |
echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT
|
| 28 |
-
- uses: actions/cache@v3
|
| 29 |
with:
|
| 30 |
path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
|
| 31 |
key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
|
|
@@ -40,7 +40,7 @@ jobs:
|
|
| 40 |
needs: test-build
|
| 41 |
runs-on: ubuntu-latest
|
| 42 |
steps:
|
| 43 |
-
- uses: actions/checkout@
|
| 44 |
with:
|
| 45 |
fetch-depth: 0
|
| 46 |
lfs: true
|
|
|
|
| 11 |
runs-on: ubuntu-latest
|
| 12 |
timeout-minutes: 10
|
| 13 |
steps:
|
| 14 |
+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
| 15 |
+
- uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
|
| 16 |
with:
|
| 17 |
node-version: "20"
|
| 18 |
- name: Install pnpm
|
| 19 |
+
uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2
|
| 20 |
with:
|
| 21 |
version: latest
|
| 22 |
run_install: false
|
|
|
|
| 25 |
shell: bash
|
| 26 |
run: |
|
| 27 |
echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT
|
| 28 |
+
- uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
|
| 29 |
with:
|
| 30 |
path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
|
| 31 |
key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
|
|
|
|
| 40 |
needs: test-build
|
| 41 |
runs-on: ubuntu-latest
|
| 42 |
steps:
|
| 43 |
+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
| 44 |
with:
|
| 45 |
fetch-depth: 0
|
| 46 |
lfs: true
|