From d33c2e40f5897aef4fb7ffa679c91df98b3ebaf5 Mon Sep 17 00:00:00 2001 From: fettpl <38704082+fettpl@users.noreply.github.com> Date: Tue, 17 Feb 2026 13:50:07 +0100 Subject: [PATCH] fix(ci): pin Blacksmith GitHub Actions to commit SHAs (#511) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace floating tag refs (@v1, @v2) with SHA-pinned refs to prevent supply-chain attacks via tag mutation on third-party Actions. Pinned: - useblacksmith/setup-docker-builder@v1 → ef12d5b1 - useblacksmith/build-push-action@v2 → 30c71162 Co-authored-by: Claude Opus 4.6 --- .github/workflows/docker.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 63ea2ad..67005c6 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -35,7 +35,7 @@ jobs: uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Blacksmith Builder - uses: useblacksmith/setup-docker-builder@v1 + uses: useblacksmith/setup-docker-builder@ef12d5b165b596e3aa44ea8198d8fde563eab402 # v1 - name: Extract metadata (tags, labels) id: meta @@ -46,7 +46,7 @@ jobs: type=ref,event=pr - name: Build smoke image - uses: useblacksmith/build-push-action@v2 + uses: useblacksmith/build-push-action@30c71162f16ea2c27c3e21523255d209b8b538c1 # v2 with: context: . push: false @@ -71,7 +71,7 @@ jobs: uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Blacksmith Builder - uses: useblacksmith/setup-docker-builder@v1 + uses: useblacksmith/setup-docker-builder@ef12d5b165b596e3aa44ea8198d8fde563eab402 # v1 - name: Log in to Container Registry uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 @@ -102,7 +102,7 @@ jobs: echo "tags=${TAGS}" >> "$GITHUB_OUTPUT" - name: Build and push Docker image - uses: useblacksmith/build-push-action@v2 + uses: useblacksmith/build-push-action@30c71162f16ea2c27c3e21523255d209b8b538c1 # v2 with: context: . push: true