Skip to content

bug-2020292: Implement GitHub Actions security guidelines.#7164

Merged
smarnach merged 1 commit intomainfrom
gha-guidelines
Mar 13, 2026
Merged

bug-2020292: Implement GitHub Actions security guidelines.#7164
smarnach merged 1 commit intomainfrom
gha-guidelines

Conversation

@smarnach
Copy link
Contributor

@smarnach smarnach commented Mar 3, 2026
edited
Loading

This implements the security assurance team's recommendations for GitHub Actions security. Most of the changes here are about avoiding the use of the GITHUB_ENV file to set environment variables.

@smarnach smarnach marked this pull request as ready for review March 3, 2026 16:06
@smarnach smarnach requested a review from a team as a code owner March 3, 2026 16:06
fkiriakos07
fkiriakos07 reviewed Mar 3, 2026
View reviewed changes
.github/workflows/release.yml
base_tag="$(date +v%Y.%m.%d)"
tag="$base_tag"
gh api "repos/${{ github.repository }}/tags" --paginate \
gh api "repos/$GITHUB_REPOSITORY/tags" --paginate \
Copy link
Contributor

@fkiriakos07 fkiriakos07 Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@fkiriakos07
Copy link
Contributor

fkiriakos07 commented Mar 3, 2026

looks good, thanks @smarnach , I am curious why the steps were skipped, is that normal?

@smarnach
Copy link
Contributor Author

smarnach commented Mar 5, 2026

I am curious why the steps were skipped, is that normal?

The steps to actually build and push a Docker image are only run after merging the PR, or when cutting a new release. New Docker images automatically get deployed to stage.

@biancadanforth biancadanforth self-assigned this Mar 13, 2026
biancadanforth
biancadanforth approved these changes Mar 13, 2026
View reviewed changes
Copy link
Contributor

@biancadanforth biancadanforth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Definitely a little more verbose, but I can understand the recommendation.

@smarnach smarnach added this pull request to the merge queue Mar 13, 2026
Merged via the queue into main with commit ec28e72 Mar 13, 2026
1 check passed
@smarnach smarnach deleted the gha-guidelines branch March 13, 2026 19:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@biancadanforth biancadanforth biancadanforth approved these changes

+1 more reviewer

@fkiriakos07 fkiriakos07 fkiriakos07 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@biancadanforth biancadanforth

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@smarnach @fkiriakos07 @biancadanforth