akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Use version tags for GitHub Actions for better maintainability

Browse Source 
Changed from SHA-pinned actions to version tags (e.g., @v3, @v4, @v5)
for easier maintenance and automatic security updates via Dependabot.

While SHA pinning provides slightly better supply chain security, version
tags with Dependabot updates provide a better balance of security and
maintainability for most projects.

Updated actions:
- actions/checkout@v4
- docker/setup-buildx-action@v3
- docker/login-action@v3
- docker/metadata-action@v5
- docker/build-push-action@v5
- aquasecurity/trivy-action@0.24.0
- github/codeql-action/upload-sarif@v3

Dependabot will automatically create PRs for security updates.
This commit is contained in:
Claude
2025-11-04 21:36:51 +00:00
parent fdb9ca6786
commit 6dc27cb813
2 changed files with 10 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
SECURITY.md
View File

@@ -33,9 +33,8 @@ Our CI/CD pipeline implements multiple security layers:
2. **Vulnerability Scanning**: All images are scanned with Trivy for CRITICAL and HIGH vulnerabilities
3. **SBOM Generation**: Software Bill of Materials is generated for all builds
4. **Provenance Attestation**: Build provenance is recorded for supply chain security
5. **SHA-Pinned Actions**: All GitHub Actions are pinned to specific SHA commits
6. **Limited Permissions**: Workflows use minimal required permissions
7. **No Push from PRs**: Pull requests only build images locally, never push to registry
5. **Limited Permissions**: Workflows use minimal required permissions
6. **No Push from PRs**: Pull requests only build images locally, never push to registry
### Container Security