From 6f41cf25cb847d3a1d30993f2f958ce223fefbd3 Mon Sep 17 00:00:00 2001 From: CJ Steiner Date: Tue, 9 Dec 2025 04:59:29 -0600 Subject: [PATCH 1/2] gha: pin actions prevent repo-takeover attack vulnerability recommended by https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions --- .github/workflows/bot-pr-new.yaml | 2 +- .github/workflows/ci.yaml | 10 +++++----- .github/workflows/stale.yaml | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/bot-pr-new.yaml b/.github/workflows/bot-pr-new.yaml index 13724cc14f0..3888632b7f0 100644 --- a/.github/workflows/bot-pr-new.yaml +++ b/.github/workflows/bot-pr-new.yaml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Fetch pull request branch - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 with: repository: ${{ github.event.client_payload.pull_request.head.repo.full_name }} ref: ${{ github.event.client_payload.pull_request.head.sha }} diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index d50aa5d37bb..9ca30256baf 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -11,8 +11,8 @@ jobs: name: Notebook format runs-on: ubuntu-latest steps: - - uses: actions/setup-python@v1 - - uses: actions/checkout@v2 + - uses: actions/setup-python@0f07f7f756721ebd886c2462646a35f78a8bc4de # v1.2.4 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Fetch master branch run: git fetch -u origin master:master - name: Install tensorflow-docs @@ -33,8 +33,8 @@ jobs: name: Notebook lint runs-on: ubuntu-latest steps: - - uses: actions/setup-python@v1 - - uses: actions/checkout@v2 + - uses: actions/setup-python@0f07f7f756721ebd886c2462646a35f78a8bc4de # v1.2.4 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Fetch master branch run: git fetch -u origin master:master - name: Install tensorflow-docs @@ -56,7 +56,7 @@ jobs: name: Notebook outputs removed runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Fetch master branch run: git fetch -u origin master:master - name: Check for output cells diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 0ca76b0677e..16dfd79d765 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -20,7 +20,7 @@ jobs: pull-requests: write steps: - - uses: actions/stale@v9 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-issue-stale: 14 From d1ec2baf50d2d0de360739f143b8e64ee7909231 Mon Sep 17 00:00:00 2001 From: CJ Steiner Date: Tue, 9 Dec 2025 05:22:40 -0600 Subject: [PATCH 2/2] gha: setup dependabot to update github actions --- .github/dependabot.yaml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 .github/dependabot.yaml diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 00000000000..833c773a468 --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "daily"