launcher icon indicating copy to clipboard operation
launcher copied to clipboard
verified publisher icon kolide

Pin actions hash, add timeout

Open williamtheaker opened this issue 5 years ago • 0 comments

  • Pins setup-go at v2
  • Pins checkout at v2.0.0
  • Adds a 25 minute timeout to keep unresponsive builds from eating up your minutes

This PR pins the SHA1 commit hash for external actions, since an action maintainer could break your build process by tagging a later commit as v1 or a malicious actor could compromise your build process. It's safer to point towards commit hashes instead. Git and Github have protections against SHA1 collisions.

The setup-go step might not be necessary since the runners already have Go installed on them.

williamtheaker avatar Jul 06 '20 22:07 williamtheaker