criu/.github
Radostin Stoyanov 341c9fa7de ci: pin third-party actions to SHAs
Third-party GitHub Actions referenced by tags can change without a CRIU
patch if the upstream action repository moves or compromises a tag. That
is especially sensitive for actions that receive CI credentials such as
CODECOV_TOKEN or GITHUB_TOKEN.

Pin the remaining non-GitHub actions used by regular workflows to the
full commit IDs currently behind their version tags. Keep the version
tag in a comment next to each SHA so reviewers can see the intended
release and future updates remain explicit.

Leave GitHub-owned actions on version tags to match the existing
linux-next workflow policy, which already pins non-GitHub actions while
using tags for actions/* refs. This keeps the hardening focused on
third-party supply chain risk without forcing the repository-wide SHA
policy that would also require pinning GitHub-authored actions.

Fixes: #3068

Assisted-by: Codex:gpt-5
Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
2026-07-02 07:55:32 +02:00
..
actions/lima-vm-setup ci: pin third-party actions to SHAs 2026-07-02 07:55:32 +02:00
workflows ci: pin third-party actions to SHAs 2026-07-02 07:55:32 +02:00
copilot-instructions.md github: add Copilot repository-specific instructions 2026-01-28 23:40:31 -08:00
ISSUE_TEMPLATE.md github: Add templates for new issues and pull requests 2021-09-03 10:31:00 -07:00
PULL_REQUEST_TEMPLATE.md github: Add templates for new issues and pull requests 2021-09-03 10:31:00 -07:00