apollo-ios
apollo-ios copied to clipboard
apollographql
chore: renovate bot setting to pin actions to a full length commit SHA
-
https://docs.renovatebot.com/modules/manager/github-actions/#additional-information
-
Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies
Pin actions to a full length commit SHA
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
- https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
- https://github.com/renovatebot/.github/blob/b0c3aa85ef2bb242580f20b02b380ca532b4ce17/default.json#L13
@naveensrinivasan: Thank you for submitting a pull request! Before we can merge it, you'll need to sign the Apollo Contributor License Agreement here: https://contribute.apollographql.com/
Deploy request for apollo-ios-docs pending review.
Visit the deploys page to approve it
| Name | Link |
|---|---|
| Latest commit | 0aefe76f37e8cbaee51243e2654c0cf1ff039ef1 |
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
@trevorblades Do you know if this is something we should be pulling in? Now that docs are run from a separate project, I'm not sure if we even need renovate at all anymore?
Actually, thinking about this. We do have an embedded TS library that uses NPM to pull in graphql-js. Perhaps we should be configuring renovate to look at that?
Closing due to inactivity. If this is still an issue for you please reply in this issue - thank you.
