From de2e68f63cd422911a8c7176b241952dad553d2c Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 12 May 2025 16:21:11 -0400 Subject: [PATCH] docs: add some hash-pinning tool recommendations (#788) Signed-off-by: William Woodruff --- docs/{ => assets}/magiclink.css | 0 docs/audits.md | 16 ++++++++++++++-- mkdocs.yml | 2 +- 3 files changed, 15 insertions(+), 3 deletions(-) rename docs/{ => assets}/magiclink.css (100%) diff --git a/docs/magiclink.css b/docs/assets/magiclink.css similarity index 100% rename from docs/magiclink.css rename to docs/assets/magiclink.css diff --git a/docs/audits.md b/docs/audits.md index 19f83458..a03e001c 100644 --- a/docs/audits.md +++ b/docs/audits.md @@ -1254,6 +1254,20 @@ regardless of definition order. ### Remediation +!!! tip + + There are several third-party tools that can automatically hash-pin + your workflows and actions for you: + + - :simple-go: @suzuki-shunsuke/pinact: supports updating and hash-pinning + workflows, actions, and arbitrary inputs. + - :simple-python: @davidism/gha-update: supports updating and hash-pinning + workflow definitions. + - :simple-go: @stacklok/frizbee: supports hash-pinning (but not updating) + workflow definitions. + + See also @stacklok/frizbee#184 for current usage caveats. + For repository actions (like @actions/checkout): add a branch, tag, or SHA reference. @@ -1305,8 +1319,6 @@ For Docker actions (like `docker://ubuntu`): add an appropriate 1. Or `actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683` for a SHA-pinned action. - - ## `unredacted-secrets` | Type | Examples | Introduced in | Works offline | Enabled by default | Configurable | diff --git a/mkdocs.yml b/mkdocs.yml index b9f74e28..c8c0b97a 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -102,7 +102,7 @@ validation: unrecognized_links: warn extra_css: - - magiclink.css + - assets/magiclink.css exclude_docs: | snippets/