Skip to content

Pin GitHub Actions to SHA digests #55

Closed
Task
Closed
Pin GitHub Actions to SHA digests#55
Task
Assignees
BergCyrill
Labels
choreA routine task or common potentially re-occurring taskgood first issueGood for newcomers
@Perseus985

Description

@Perseus985
Perseus985
opened on May 7, 2026

OpenSSF Scorecard finding: Pinned Dependencies

Currently unpinned across golang.yaml, docker.yaml, helm-lint.yaml, helm-publish.yaml:

  • actions/checkout@v6, actions/setup-go@v6, golangci/golangci-lint-action@v9
  • docker/metadata-action@v6, docker/setup-qemu-action@v4, docker/setup-buildx-action@v4, docker/login-action@v4, docker/build-push-action@v7
  • sigstore/cosign-installer@v4.1.2 (version-pinned but not SHA-pinned)
  • anchore/sbom-action@v0, actions/attest-sbom@v4, actions/attest-build-provenance@v4

Renovate (already configured) will keep SHAs updated. Reference: ossf-scorecard.yml and osv-scanner.yml are already correctly pinned.

Metadata

Metadata

Assignees

Labels

choreA routine task or common potentially re-occurring taskgood first issueGood for newcomers

Type

Task

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions