added the workflow and script to pin commit hash#6497
Open
antedotee wants to merge 1 commit intopipe-cd:masterfrom
Open
added the workflow and script to pin commit hash#6497antedotee wants to merge 1 commit intopipe-cd:masterfrom
antedotee wants to merge 1 commit intopipe-cd:masterfrom
Conversation
Signed-off-by: antedotee <soniyadav2051982@gmail.com>
antedotee
force-pushed
the
add-commit-hash-workflow
branch
from
1fe0f43 to
575e52a
Compare
Author
|
@khanhtc1202 Please take a look. Instead of raising PR solely for the workflow, the workflow was referencing the local script, so I added the local script here for end to end setup. I have run the script locally and it is working perfectly. If this gets merged, I think I can raise next PR for changing all the tags to commit hashes, and another PR for referencing the changes made in the documentation so that contributors can reference it to know what is going on. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does:
This PR introduces a workflow and a script which will ensure every tag is pinned to the commit hash. If anything uses tag and not a commit hash, the workflow will fail and will tell you to run
hack/gha-reversemap.sh apply-reversemaplocally. I have also added.gha-reversemap.ymlwhich will act as a single source of truth for approved hashes.Why we need it:
For security purposes, makes the supply chain auditable
Which issue(s) this PR fixes:
Fixes #6492