DEV Community

Cover image for Cloud Native Live: Automate pinning GitHub Actions and container images to their digests
Stacey Potter for Stacklok

Posted on • Edited on

Cloud Native Live: Automate pinning GitHub Actions and container images to their digests

GitHub Actions, like open source dependencies, are vulnerable to malicious attacks. Pinning GitHub Actions to their digests (instead of using floating tags) is recommended by GitHub: it’s the only way to use an Action as an immutable release, so that you’re always using a known-good version even if the source repo is compromised. Likewise, for containers, the digest is a unique identifier for the content of an image. Once an image is built, its digest will always refer to that specific build, ensuring immutability and consistency.

Only 2% of public GitHub repos pin actions to digests today, probably because it’s a tedious process. But there are now ways to automate this!

Join Stacklok Engineers Juan Antonio "Ozz" Osario & Jakub Hrozek for this CNCF Livestream as they explore some free and open source tools you can use to automate pinning container images and Actions by their digests and demo how they work.

July 17, 2024
9am PT / 12pm ET / 16:00 UTC

Top comments (0)