Skip to content

[Github][libc] Hash Pin Actions in Workflows #129487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 3, 2025
Merged

[Github][libc] Hash Pin Actions in Workflows #129487

merged 1 commit into from
Mar 3, 2025

Conversation

boomanaiden154
Copy link
Contributor

This patch has pins actions in the libc Github workflows. Hash pinning is a best practice as it ensures we are getting an exact action version, which can help with reproducibility/reliability. It additionally alleviates security concerns as an attacker can modify release assets, potentially giving them access to tokens in privileged workflows.

@boomanaiden154
[Github][libc] Hash Pin Actions in Workflows
b9b71a0 
This patch has pins actions in the libc Github workflows. Hash pinning
is a best practice as it ensures we are getting an exact action version,
which can help with reproducibility/reliability. It additionally
alleviates security concerns as an attacker can modify release assets,
potentially giving them access to tokens in privileged workflows.
@llvmbot
Copy link
Member

llvmbot commented Mar 3, 2025

@llvm/pr-subscribers-github-workflow

Author: Aiden Grossman (boomanaiden154)

Changes

This patch has pins actions in the libc Github workflows. Hash pinning is a best practice as it ensures we are getting an exact action version, which can help with reproducibility/reliability. It additionally alleviates security concerns as an attacker can modify release assets, potentially giving them access to tokens in privileged workflows.

Full diff: https://github.com/llvm/llvm-project/pull/129487.diff

2 Files Affected:

  • (modified) .github/workflows/libc-fullbuild-tests.yml (+2-2)
  • (modified) .github/workflows/libc-overlay-tests.yml (+2-2)
diff --git a/.github/workflows/libc-fullbuild-tests.yml b/.github/workflows/libc-fullbuild-tests.yml
index d93ac84116240..00d2696e7e586 100644
--- a/.github/workflows/libc-fullbuild-tests.yml
+++ b/.github/workflows/libc-fullbuild-tests.yml
@@ -30,7 +30,7 @@ jobs:
           # - c_compiler: gcc
           #   cpp_compiler: g++
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     
     # Libc's build is relatively small comparing with other components of LLVM.
     # A fresh fullbuild takes about 190MiB of uncompressed disk space, which can
@@ -39,7 +39,7 @@ jobs:
     # Do not use direct GHAC access even though it is supported by sccache. GHAC rejects
     # frequent small object writes.
     - name: Setup ccache
-      uses: hendrikmuhs/[email protected]
+      uses: hendrikmuhs/ccache-action@a1209f81afb8c005c13b4296c32e363431bffea5 # v1.2.17
       with:
         max-size: 1G
         key: libc_fullbuild_${{ matrix.c_compiler }}
diff --git a/.github/workflows/libc-overlay-tests.yml b/.github/workflows/libc-overlay-tests.yml
index de4b58c008ee4..da82d8d9fe8ab 100644
--- a/.github/workflows/libc-overlay-tests.yml
+++ b/.github/workflows/libc-overlay-tests.yml
@@ -47,7 +47,7 @@ jobs:
               cpp_compiler: clang++
     
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     
     # Libc's build is relatively small comparing with other components of LLVM.
     # A fresh linux overlay takes about 180MiB of uncompressed disk space, which can
@@ -57,7 +57,7 @@ jobs:
     # Do not use direct GHAC access even though it is supported by sccache. GHAC rejects
     # frequent small object writes.
     - name: Setup ccache
-      uses: hendrikmuhs/ccache-action@v1
+      uses: hendrikmuhs/ccache-action@a1209f81afb8c005c13b4296c32e363431bffea5 # v1.2.17
       with:
         max-size: 1G
         key: libc_overlay_build_${{ matrix.os }}_${{ matrix.compiler.c_compiler }}

@boomanaiden154 boomanaiden154 requested a review from carlocab March 3, 2025 07:54
SchrodingerZhu
SchrodingerZhu approved these changes Mar 3, 2025
View reviewed changes
Copy link
Contributor

@SchrodingerZhu SchrodingerZhu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@boomanaiden154 boomanaiden154 merged commit c9aefe1 into llvm:main Mar 3, 2025
17 checks passed
@boomanaiden154 boomanaiden154 deleted the libc-workflows-actions-hash-pinning branch March 3, 2025 16:37
jph-13 pushed a commit to jph-13/llvm-project that referenced this pull request Mar 21, 2025
@boomanaiden154 @jph-13
[Github][libc] Hash Pin Actions in Workflows (llvm#129487)
ec02cf6 
This patch has pins actions in the libc Github workflows. Hash pinning
is a best practice as it ensures we are getting an exact action version,
which can help with reproducibility/reliability. It additionally
alleviates security concerns as an attacker can modify release assets,
potentially giving them access to tokens in privileged workflows.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SchrodingerZhu SchrodingerZhu SchrodingerZhu approved these changes

@carlocab carlocab carlocab approved these changes

@tstellar tstellar Awaiting requested review from tstellar

@lntue lntue Awaiting requested review from lntue

@michaelrj-google michaelrj-google Awaiting requested review from michaelrj-google

Assignees
No one assigned
Labels
github:workflow
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@boomanaiden154 @llvmbot @SchrodingerZhu @carlocab