From 50bd68fbc8c87713cab382d819fa38eb3ee6d1c8 Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Thu, 2 Jul 2026 02:48:42 +0200 Subject: [PATCH] fix(templates): pin release-generic.yml actions to commit SHAs Opengrep's github-actions-mutable-action-tag rule flags the six `@vN` action refs in the shipped release template. Pin each to its release commit SHA with a version comment; refs bumped to current majors (checkout v7, cosign-installer v4, attest-build-provenance v4, action-gh-release v3, sbom-action v0.24). Signed-off-by: Sebastian Mendel --- skills/github-release/templates/release-generic.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/skills/github-release/templates/release-generic.yml b/skills/github-release/templates/release-generic.yml index 2d54045..c1e9a26 100644 --- a/skills/github-release/templates/release-generic.yml +++ b/skills/github-release/templates/release-generic.yml @@ -12,7 +12,7 @@ jobs: id-token: write attestations: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Get version from tag id: version run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT" @@ -23,13 +23,13 @@ jobs: git archive --format=tar.gz --prefix="${ARCHIVE_NAME}/" -o "dist/${ARCHIVE_NAME}.tar.gz" HEAD git archive --format=zip --prefix="${ARCHIVE_NAME}/" -o "dist/${ARCHIVE_NAME}.zip" HEAD - name: Generate SBOM (SPDX) - uses: anchore/sbom-action@v0 + uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 with: path: . format: spdx-json output-file: dist/${{ github.event.repository.name }}-${{ steps.version.outputs.version }}.sbom.spdx.json - name: Generate SBOM (CycloneDX) - uses: anchore/sbom-action@v0 + uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 with: path: . format: cyclonedx-json @@ -37,7 +37,7 @@ jobs: - name: Generate checksums run: cd dist && sha256sum * > checksums.txt - name: Install Cosign - uses: sigstore/cosign-installer@v3 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Sign artifacts run: | # Use .sigstore.json extension (NOT cosign's default .bundle). @@ -53,11 +53,11 @@ jobs: cosign sign-blob "$f" --bundle "${f}.sigstore.json" --yes done - name: Generate attestation - uses: actions/attest-build-provenance@v2 + uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1 with: subject-path: dist/*.tar.gz,dist/*.zip - name: Create GitHub Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1 with: files: dist/* generate_release_notes: true