[grace-hopper-day] Pin Github Actions by commit-hash - nodejs/diagnostics

Pin Actions to a full length commit SHA

Repository: https://github.com/nodejs/diagnostics

#### Why is this needed?

- GitHub Action tags and Docker tags are mutable, which poses a security risk
- If the tag changes you will not have a chance to review the change before it gets used
- GitHub's Security Hardening for GitHub Actions guide [recommends pinning actions to full length commit for third party actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions).

#### Before and After the fix

Before the fix, your workflow may look like this (use of `v1` and `latest` tags)

After the fix, Secure-Repo pins each Action and docker image to an immutable checksum.

**Pull request example**: https://github.com/electron/electron/pull/36343

In this pull request, the workflow file has the GitHub Actions tags pinned automatically to their full-length commit SHA.

![](https://github.com/step-security/secure-repo/blob/main/images/pin-example.png?raw=true)
<p align="center"><img src="images/pin-example.png" alt="Screenshot of Action pinned to commit SHA" width="600" /></p>

---

From: https://github.com/step-security/secure-repo#3-pin-actions-to-a-full-length-commit-sha


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[grace-hopper-day] Pin Github Actions by commit-hash - nodejs/diagnostics #1107

Why is this needed?

Before and After the fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

[grace-hopper-day] Pin Github Actions by commit-hash - nodejs/diagnostics #1107

Description

Why is this needed?

Before and After the fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions