Skip to content

use HEAD_SHA instead of HEAD_REF in auto_update_doc.yml #6809

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
andife merged 1 commit into from
Mar 23, 2025
Merged

use HEAD_SHA instead of HEAD_REF in auto_update_doc.yml #6809

andife merged 1 commit into from
Mar 23, 2025

Conversation

@mshudrak
Copy link
Contributor

@mshudrak mshudrak commented Mar 12, 2025

Description

Pulling commit using HEAD_SHA instead of HEAD_REF.

Motivation and Context

This reduces the risk of Github Actions TOCTOU attack described here https://github.com/AdnaneKhan/ActionsTOCTOU
Ref #6736

@mshudrak
Update auto_update_doc.yml
a538380 
Pulling commit using HEAD_SHA instead of HEAD_REF. This reduces the risk of Github Actions TOCTOU attack described here https://github.com/AdnaneKhan/ActionsTOCTOU

Signed-off-by: mshudrak <69989229+mshudrak@users.noreply.github.com>
@mshudrak mshudrak requested a review from a team as a code owner March 12, 2025 17:14
@github-project-automation github-project-automation bot moved this to In progress in PR Tracker Mar 12, 2025
@mshudrak mshudrak mentioned this pull request Mar 12, 2025
Closed
@codecov
Copy link

codecov bot commented Mar 12, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 56.28%. Comparing base (7923ca4) to head (a538380).
Report is 9 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #6809   +/-   ##
=======================================
  Coverage   56.28%   56.28%           
=======================================
  Files         509      509           
  Lines       32579    32579           
  Branches     3099     3099           
=======================================
  Hits        18336    18336           
  Misses      13385    13385           
  Partials      858      858

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@cyyever cyyever added the run release CIs Use this label to trigger release tests in CI label Mar 14, 2025
@andife andife changed the title Update auto_update_doc.yml Reduce security risk in auto_update_doc.yml Mar 23, 2025
@andife andife changed the title Reduce security risk in auto_update_doc.yml use HEAD_SHA instead of HEAD_REF in auto_update_doc.yml Mar 23, 2025
@andife andife enabled auto-merge March 23, 2025 10:35
@github-project-automation github-project-automation bot moved this from In progress to Reviewer approved in PR Tracker Mar 23, 2025
@andife andife added this pull request to the merge queue Mar 23, 2025
Merged via the queue into onnx:main with commit 55a61f9 Mar 23, 2025
82 checks passed
@github-project-automation github-project-automation bot moved this from Reviewer approved to Done in PR Tracker Mar 23, 2025
@osalbahr osalbahr mentioned this pull request Aug 27, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andife andife andife approved these changes

+1 more reviewer

@cyyever cyyever cyyever approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

run release CIs Use this label to trigger release tests in CI

Projects

PR Tracker
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mshudrak @cyyever @andife