Process for SHA-pin github action

2026-06-30 00:51:40 +00:00 · 2026-06-07 18:19:13 +10:00 · 2026-06-07 18:19:13 +10:00 · 26434e221e
commit 26434e221e
parent 0eebc242fb
4 changed files with 39 additions and 1 deletions
--- a/.github/workflows/docker-githubaction.yml
+++ b/.github/workflows/docker-githubaction.yml
@ -98,3 +98,10 @@ jobs:
            -t "ghcr.io/${IMAGE_NAME}:4-githubaction" \
            -t "ghcr.io/${IMAGE_NAME}:latest-githubaction" \
            .
+
+      - name: Report action.yml digest to pin
+        run: |
+          GITHUBACTION_DIGEST=$(docker buildx imagetools inspect "${IMAGE_NAME}:4-githubaction" --format '{{printf "%s" .Manifest.Digest}}')
+          echo "Published ${IMAGE_NAME}:4-githubaction at ${GITHUBACTION_DIGEST}"
+          echo "Update action.yml image to:"
+          echo "  docker://${IMAGE_NAME}:4-githubaction@${GITHUBACTION_DIGEST}"
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@ -5,6 +5,32 @@ permissions:

 jobs:

+  verify-action-digest:
+    name: Verify action.yml image digest
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Verify action.yml digest matches published image
+        run: |
+          PINNED_DIGEST=$(grep -oE 'sha256:[a-f0-9]{64}' action.yml | head -1)
+          if [ -z "${PINNED_DIGEST}" ]; then
+            echo "::error::action.yml does not pin the runtime image by digest"
+            exit 1
+          fi
+
+          LATEST_DIGEST=$(docker buildx imagetools inspect docker.io/mikefarah/yq:4-githubaction --format '{{printf "%s" .Manifest.Digest}}')
+
+          echo "action.yml pins:              ${PINNED_DIGEST}"
+          echo "mikefarah/yq:4-githubaction: ${LATEST_DIGEST}"
+
+          if [ "${PINNED_DIGEST}" != "${LATEST_DIGEST}" ]; then
+            echo "::error::action.yml digest does not match the current mikefarah/yq:4-githubaction image"
+            echo "Update the image line in action.yml to:"
+            echo "  docker://mikefarah/yq:4-githubaction@${LATEST_DIGEST}"
+            exit 1
+          fi
+
  build:
    name: Build
    runs-on: ubuntu-latest
--- a/action.yml
+++ b/action.yml
@ -12,6 +12,6 @@ outputs:
    description: "The complete result from the yq command being run"
 runs:
  using: 'docker'
-  image: 'docker://mikefarah/yq:4-githubaction'
+  image: 'docker://mikefarah/yq:4-githubaction@sha256:e1b8c865f299ea6b02910a7ddf147d5d431244d4cc116f89c2148c9f53822906'
  args:
    - ${{ inputs.cmd }}
--- a/release_instructions.txt
+++ b/release_instructions.txt
@ -14,6 +14,11 @@
    FROM mikefarah/yq:4@<digest-from-above>
 - commit the Dockerfile change, then manually run the "Release Docker GitHub Action" workflow
  (Actions -> Release Docker GitHub Action -> Run workflow)
+- update action.yml to pin the newly published github-action image digest (must match the mikefarah/yq:4-githubaction manifest digest):
+    docker buildx imagetools inspect docker.io/mikefarah/yq:4-githubaction --format '{{printf "%s" .Manifest.Digest}}'
+  then update the image line in action.yml with the new digest:
+    image: 'docker://mikefarah/yq:4-githubaction@<digest-from-above>'
+- commit the action.yml change and push

 // release artifacts are signed with cosign keyless signing (Sigstore)
 // users can verify with: