chore: GitHub Actions を commit SHA でピン留め#3
Conversation
`.github/workflows/deploy.yml` の全 `uses:` を `@<40文字 SHA> # vX.Y.Z` 形式に変換 (pinact 3.9.0 で自動生成)。 Supply-chain 対策として、サードパーティ Actions のミュータブルなタグ参照を 不変の commit SHA に固定する。Dependabot (github-actions) が設定済みのため、 バージョンコメントを元に今後も自動アップデートされる。
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 58 minutes and 32 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
1 participant
概要
supply-chain 対策として、すべての GitHub Actions を mutable なタグ参照から不変の commit SHA 参照に切り替えます。
変更内容
.github/workflows/deploy.ymlのuses:をowner/repo@<40文字SHA> # vX.Y.Z形式に変換(pinact 3.9.0 で自動生成)actions/checkout/1password/load-secrets-action/peaceiris/actions-hugo/cloudflare/wrangler-actiongithub-actions) は既存設定のままで SHA アップデート可能動機
@v3等)は mutable で、Action 作者アカウント侵害時に@v3が差し替えられた場合、次回デプロイで汚染コードが取り込まれるpeaceiris/actions-hugoは相対的にリスクが高く、SHA ピン留めの恩恵が特に大きい動作確認
関連
EcAuth organization 配下のほかのリポジトリでも同一方針で順次対応します。
🤖 Generated with Claude Code