Update Docker actions to use tags instead hashes#42621
Update Docker actions to use tags instead hashes#42621szabgab wants to merge 1 commit intogithub:mainfrom
Conversation
How to review these changes 👓Thank you for your contribution. To review these changes, choose one of the following options: A Hubber will need to deploy your changes internally to review. Table of review linksNote: Please update the URL for your staging server or codespace. The table shows the files in the
Key: fpt: Free, Pro, Team; ghec: GitHub Enterprise Cloud; ghes: GitHub Enterprise Server 🤖 This comment is automatically generated. |
github-actions
bot
added
the
triage
There was a problem hiding this comment.
Pull request overview
This PR updates Docker action references in a tutorial documentation file from commit SHA hashes to version tags (v3, v5, v6) for the docker/login-action, docker/metadata-action, and docker/build-push-action respectively. The stated reason is that "other parts of the GitHub documentation" recommend using tags instead of hashes.
Changes:
- Updated docker/login-action references from SHA hash to @V3
- Updated docker/metadata-action reference from SHA hash to @v5
- Updated docker/build-push-action reference from SHA hash to @v6
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| uses: docker/login-action@v3 | ||
| with: | ||
| username: {% raw %}${{ secrets.DOCKER_USERNAME }}{% endraw %} | ||
| password: {% raw %}${{ secrets.DOCKER_PASSWORD }}{% endraw %} | ||
|
|
||
| - name: Log in to the Container registry | ||
| uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: {% ifversion fpt or ghec %}ghcr.io{% elsif ghes %}{% data reusables.package_registry.container-registry-hostname %}{% endif %} | ||
| username: {% raw %}${{ github.actor }}{% endraw %} | ||
| password: {% raw %}${{ secrets.GITHUB_TOKEN }}{% endraw %} | ||
|
|
||
| - name: Extract metadata (tags, labels) for Docker | ||
| id: meta | ||
| uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 | ||
| uses: docker/metadata-action@v5 | ||
| with: | ||
| images: | | ||
| my-docker-hub-namespace/my-docker-hub-repository | ||
| {% data reusables.package_registry.container-registry-hostname %}/{% raw %}${{ github.repository }}{% endraw %} | ||
|
|
||
| - name: Build and push Docker images | ||
| id: push | ||
| uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 | ||
| uses: docker/build-push-action@v6 |
There was a problem hiding this comment.
The changes in this PR only update the third example workflow (lines 199-221) to use version tags, but the first example workflow in this file (lines 97, 104, 110) still uses SHA commit hashes for the same Docker actions. This creates an inconsistency within the same documentation file.
For consistency with the changes being made here, the first example should also be updated from:
- docker/login-action@f4ef78c to docker/login-action@v3
- docker/metadata-action@9ec57ed to docker/metadata-action@v5
- docker/build-push-action@3b5e802 to docker/build-push-action@v6
Additionally, both examples include a reusable comment stating "GitHub recommends pinning actions to a commit SHA" which directly contradicts the purpose of this PR. If the recommendation has changed to use tags instead of SHAs, this reusable comment should be updated or removed from these examples.
| - name: Extract metadata (tags, labels) for Docker | ||
| id: meta | ||
| uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 | ||
| uses: docker/metadata-action@v5 |
There was a problem hiding this comment.
The workflow examples in this file include a reusable comment stating "GitHub recommends pinning actions to a commit SHA" (via the actions-use-sha-pinning-comment reusable). This directly contradicts the changes being made in this PR, which replace commit SHA pins with version tags.
According to the security documentation at content/actions/reference/security/secure-use.md lines 138-160, pinning to a full-length commit SHA is the most secure option and is recommended for third-party actions. The PR description states that tags are recommended "by other parts of the GitHub documentation," but this appears to conflict with the security best practices documented in the codebase.
If the intent is to use tags instead of SHAs in these examples (perhaps for simplicity or readability in tutorial content), the reusable comment should be removed from these workflow examples to avoid giving contradictory guidance to users.
|
@szabgab Can you cite sources on parts of the documentation that recommend versions instead of SHA? I'm probably going to have to check in anyway since Copilot disagrees and it may be a matter of the advice being conditional rather than blanket, but if you have a source it might be useful if that needs to be updated. |
Sharra-writes
added
content
|
I am sorry I don't have the link, I just vaguely remember I read it. Years ago. |
2 participants
Why:
Those hashes were very old and in general it recommended (by other parts of the GitHub documentation) that people use tags to specify version of actions.
What's being changed (if available, include any code snippets, screenshots, or gifs):
The versions used in the example.
Check off the following: