Conversation
Replace :latest tag with pinned SHA256 digest to prevent supply chain attacks from tag mutation. Co-Authored-By: Staging-Devin AI <166158716+staging-devin-ai-integration[bot]@users.noreply.github.com>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
![staging-devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/870844?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
The sed pattern for action.yml now matches both :TAG and @sha256:DIGEST formats using [:@] character class. Co-Authored-By: Staging-Devin AI <166158716+staging-devin-ai-integration[bot]@users.noreply.github.com>
| # For BSD sed (macOS), -i requires an argument (even if empty string for no backup). | ||
| if sed --version 2>/dev/null | grep -q GNU; then # GNU sed | ||
| sed -i "s|codeowners-plus:.*'|codeowners-plus:${VERSION_TAG}'|g" "${ACTIONS_FILE}" | ||
| sed -i "s|codeowners-plus[:@].*'|codeowners-plus:${VERSION_TAG}'|g" "${ACTIONS_FILE}" |
There was a problem hiding this comment.
🚩 post-release.sh not updated but likely intentional
The scripts/post-release.sh doesn't modify action.yml at all. Previously with :latest, this was fine because Docker would resolve to the newest image. Now with sha256 pinning, after a release cycle the main branch will retain the old sha256 digest in action.yml. This means the sha256 on main could become stale after a new release. However, this appears intentional — the sha256 pinning on main represents a known-good image and would be manually updated (as was done in this PR). The prepare-release.sh correctly handles converting whatever format is in action.yml to a :vX.Y.Z tag for the release branch/tag.
Was this helpful? React with 👍 or 👎 to provide feedback.
Debug
1 participant
Summary
Pin the Docker image used by the codeowners-plus action to its SHA256 digest instead of using the mutable
:latesttag, for supply chain security.Changes
action.yml: Replaceghcr.io/multimediallc/codeowners-plus:latestwithghcr.io/multimediallc/codeowners-plus@sha256:8f9b834d270546cfafa9b3e6774722a93e7178fbeb08415c1bc2e655bb7f8637scripts/prepare-release.sh: Update sed patterns fromcodeowners-plus:.*'tocodeowners-plus[:@].*'so the release script correctly handles both:TAGand@sha256:DIGESTformats when updatingaction.ymlDevin Session: https://staging.itsdev.in/sessions/4c99077567f84cb48aaec9bf4166df48