Skip to content

Pin the the jenseng/dynamic-uses transitive GH Action dependency to a hash #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
alexrashed merged 2 commits into from
Dec 9, 2025
Merged

Pin the the jenseng/dynamic-uses transitive GH Action dependency to a hash #48

alexrashed merged 2 commits into from
Dec 9, 2025

Conversation

@MarkIannucci
Copy link
Contributor

@MarkIannucci MarkIannucci commented Mar 21, 2025

With the recent supply chain attack on a popular GH Action, I noticed that this action has a transitive dependency on jenseng/dynamic-uses (which is a really clever chunk of code!).

GitHub recommends pinning to a SHA to protect against these sorts of attacks which is what this PR does.

@HarshCasper HarshCasper self-requested a review March 21, 2025 13:39
@danrjohnson
Copy link

danrjohnson commented Dec 3, 2025

@HarshCasper Any chance we could have this reviewed and merged in?

alexrashed
alexrashed requested changes Dec 3, 2025
View reviewed changes
Copy link
Member

@alexrashed alexrashed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for the contribution, and thanks for the push towards pinned action references! That totally makes sense, and we could maybe directly move to Dependabot as well to make sure that we also regularly update to new releases of the actions.
I just think there is a bit of a mixup with the selected sha hash (see comment), afterwards we can merge this one right in and we can take over the Dependabot onboarding afterwards.

alexrashed
alexrashed approved these changes Dec 9, 2025
View reviewed changes
Copy link
Member

@alexrashed alexrashed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, the CI currently does not properly work for runs from forks (since it cannot checkout the action properly). I updated all the digest pins and introduced a DependaBot config. I will merge this for now and verify that the CI works properly on main.

@alexrashed alexrashed merged commit 0c7554f into localstack:main Dec 9, 2025
1 check failed
@MarkIannucci MarkIannucci deleted the pin-dynamic-uses-to-hash branch December 9, 2025 12:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexrashed alexrashed alexrashed approved these changes

@HarshCasper HarshCasper Awaiting requested review from HarshCasper

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MarkIannucci @danrjohnson @alexrashed