Skip to content

🚨 Feature Request: Enable Immutable Releases and pin Docker digest for supply chain security 🚨 #214

Description

@venkatamutyala

Title:

Feature Request: Enable Immutable Releases and pin Docker digest for supply chain security

Description:

This action is heavily relied upon across the GitHub ecosystem. To protect consumers against supply chain attacks, I'd like to propose making the action's versions truly immutable.

Right now, Git release tags are mutable, and the action.yaml points to a mutable Docker tag. If the repository or container registry were ever compromised, a malicious actor could alter the code running in users' CI/CD pipelines under an existing version string.

Proposed Changes:

  1. Enable GitHub’s native Immutable Releases in this repository's settings to lock down the Git tags. (only a repo admin/owner can do this)
  2. Update action.yaml to point to the Docker image's SHA-256 cryptographic digest instead of just the :1.12.0 tag.

This creates a bulletproof, zero-trust workflow for your enterprise users. Let me know if you would accept a PR for the action.yaml updates!

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions