feat(sec): harden GHA ref by using its SHA ID to prevent accidental usage of compromised actions (#38782)

Signed-off-by: hainenber <dotronghai96@gmail.com> (cherry picked from commit 83823911b5)
2026-05-25 01:35:39 +00:00 · 2026-03-21 21:27:30 +07:00
parent 56877507cf
commit 96c16cb175
38 changed files with 168 additions and 173 deletions
--- a/.github/workflows/github-action-validator.yml
+++ b/.github/workflows/github-action-validator.yml
@@ -9,17 +9,16 @@ on:
    types: [synchronize, opened, reopened, ready_for_review]

 jobs:
-
  validate-all-ghas:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
-          node-version: '20'
+          node-version: "20"

      - name: Install Dependencies
        run: npm install -g @action-validator/core @action-validator/cli --save-dev