SEC-090: Automated trusted workflow pinning (2023-09-18) #51

hashicorp-tsccr · 2023-09-18T14:54:25Z

You can alter the configuration of this automation via the hcl config in hashicorp/security-tsccr/automation

This is in support of RFC SEC-090 which is due to be implemented by EOQ2 FY24.

Please do the following:

Approve and merge this PR if you are happy with the changes.
Check if there are any untrusted third-party Actions in the workflow files and onboard them to the TSCCR.
The yaml comments "# TSCCR: no entry for repository..." or "# TSCCR: no version of..." in the workflow files identifies an untrusted Action.
If you have to onboard any third-party Actions, update and pin your workflows using the tsccr-helper tool after the Actions have been onboarded OR reach out to #team-prodsec and we can run this automation again.
Verify that your Actions are still working as expected after pinning.

Please reach out to #team-prodsec if you have any questions.

Result of tsccr-helper -log-level=info -pin-all-workflows .

7b358dc

hashicorp-tsccr bot added the SEC-090 Auto-pinning label Sep 18, 2023

nodyhub mentioned this pull request Sep 18, 2023

SEC-090: Automated trusted workflow pinning (2023-04-03) #49

Closed

nodyhub merged commit 0237a94 into master Sep 18, 2023

nodyhub deleted the tsccr-auto-pinning/trusted/2023-09-18 branch September 18, 2023 15:55

Provide feedback