Skip to content

Commit acdfcfb

Browse files
author
lushirong.77
committed
docs(actions): add SHA pinning notes to OIDC examples
1 parent c9bd77a commit acdfcfb

5 files changed

Lines changed: 6 additions & 0 deletions

File tree

content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -141,6 +141,7 @@ The `aws-actions/configure-aws-credentials` action receives a JWT from the {% da
141141
# Sample workflow to access AWS resources when workflow is tied to branch
142142
# The workflow creates a static website using Amazon S3
143143
{% data reusables.actions.actions-not-certified-by-github-comment %}
144+
{% data reusables.actions.actions-use-sha-pinning-comment %}
144145
name: AWS example workflow
145146
on:
146147
push

content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -81,6 +81,7 @@ The following example exchanges an OIDC ID token with Azure to receive an access
8181

8282
```yaml copy
8383
{% data reusables.actions.actions-not-certified-by-github-comment %}
84+
{% data reusables.actions.actions-use-sha-pinning-comment %}
8485
name: Run Azure Login with OIDC
8586
on: [push]
8687

content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -82,6 +82,7 @@ This action exchanges a {% data variables.product.prodname_dotcom %} OIDC token
8282

8383
```yaml copy
8484
{% data reusables.actions.actions-not-certified-by-github-comment %}
85+
{% data reusables.actions.actions-use-sha-pinning-comment %}
8586
name: List services in GCP
8687
on:
8788
pull_request:

content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-hashicorp-vault.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -129,6 +129,7 @@ This example demonstrates how to create a job that requests a secret from HashiC
129129
130130
```yaml copy
131131
{% data reusables.actions.actions-not-certified-by-github-comment %}
132+
{% data reusables.actions.actions-use-sha-pinning-comment %}
132133
jobs:
133134
retrieve-secret:
134135
runs-on: ubuntu-latest
@@ -163,6 +164,7 @@ By default, the Vault server will automatically revoke access tokens when their
163164
164165
```yaml copy
165166
{% data reusables.actions.actions-not-certified-by-github-comment %}
167+
{% data reusables.actions.actions-use-sha-pinning-comment %}
166168
jobs:
167169
retrieve-secret:
168170
runs-on: ubuntu-latest

content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-pypi.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,7 @@ The following example uses the `pypa/gh-action-pypi-publish` action to exchange
5656

5757
```yaml copy
5858
{% data reusables.actions.actions-not-certified-by-github-comment %}
59+
{% data reusables.actions.actions-use-sha-pinning-comment %}
5960
jobs:
6061
release-build:
6162
runs-on: ubuntu-latest

0 commit comments

Comments
 (0)