SEC-090: Automated trusted workflow pinning (2023-11-06) #244

hashicorp-tsccr · 2023-11-06T08:57:45Z

You can alter the configuration of this automation via the hcl config in hashicorp/security-tsccr/automation

Please do the following:

Approve and merge this PR if you are happy with the changes.
Check if there are any untrusted third-party Actions in the workflow files and onboard them to the TSCCR.
The yaml comments "# TSCCR: no entry for repository..." or "# TSCCR: no version of..." in the workflow files identifies an untrusted Action.
If you have to onboard any third-party Actions, update and pin your workflows using the tsccr-helper tool after the Actions have been onboarded OR reach out to #team-prodsec and we can run this automation again.
Verify that your Actions are still working as expected after pinning.

Please reach out to #team-prodsec if you have any questions.

Result of tsccr-helper -log-level=info -pin-all-workflows .

4c5d70b

hashicorp-tsccr bot added the SEC-090/Pinning/Trusted Automated TSCCR pinning PR to trusted SHAs. label Nov 6, 2023

github-actions bot added the size/XS label Nov 6, 2023

katbyte closed this Dec 5, 2023

Provide feedback