criu/.github/workflows
Radostin Stoyanov 341c9fa7de ci: pin third-party actions to SHAs
Third-party GitHub Actions referenced by tags can change without a CRIU
patch if the upstream action repository moves or compromises a tag. That
is especially sensitive for actions that receive CI credentials such as
CODECOV_TOKEN or GITHUB_TOKEN.

Pin the remaining non-GitHub actions used by regular workflows to the
full commit IDs currently behind their version tags. Keep the version
tag in a comment next to each SHA so reviewers can see the intended
release and future updates remain explicit.

Leave GitHub-owned actions on version tags to match the existing
linux-next workflow policy, which already pins non-GitHub actions while
using tags for actions/* refs. This keeps the hardening focused on
third-party supply chain risk without forcing the repository-wide SHA
policy that would also require pinning GitHub-authored actions.

Fixes: #3068

Assisted-by: Codex:gpt-5
Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
2026-07-02 07:55:32 +02:00
..
check-commits.yml ci: update GitHub Actions to latest major versions 2026-06-29 14:16:28 +01:00
ci.yml ci: pin third-party actions to SHAs 2026-07-02 07:55:32 +02:00
codeql.yml ci: update GitHub Actions to latest major versions 2026-06-29 14:16:28 +01:00
cross-compile-daily.yml ci: update GitHub Actions to latest major versions 2026-06-29 14:16:28 +01:00
lint.yml ci: update GitHub Actions to latest major versions 2026-06-29 14:16:28 +01:00
linux-next.yml github: add linux-next test workflow 2026-06-30 06:44:35 +01:00
manage-labels.yml ci: pin third-party actions to SHAs 2026-07-02 07:55:32 +02:00
stale.yml ci: update GitHub Actions to latest major versions 2026-06-29 14:16:28 +01:00