From acdfcfb7cd51d6e419ccf469bb8e97d7baed36f1 Mon Sep 17 00:00:00 2001 From: "lushirong.77" Date: Tue, 30 Jun 2026 17:24:44 +0800 Subject: [PATCH] docs(actions): add SHA pinning notes to OIDC examples --- .../secure-your-work/security-harden-deployments/oidc-in-aws.md | 1 + .../security-harden-deployments/oidc-in-azure.md | 1 + .../oidc-in-google-cloud-platform.md | 1 + .../security-harden-deployments/oidc-in-hashicorp-vault.md | 2 ++ .../security-harden-deployments/oidc-in-pypi.md | 1 + 5 files changed, 6 insertions(+) diff --git a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws.md b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws.md index 4099d3209647..9d78780f25a6 100644 --- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws.md +++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws.md @@ -141,6 +141,7 @@ The `aws-actions/configure-aws-credentials` action receives a JWT from the {% da # Sample workflow to access AWS resources when workflow is tied to branch # The workflow creates a static website using Amazon S3 {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} name: AWS example workflow on: push diff --git a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md index 5708cfe7f55d..df4a276e630c 100644 --- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md +++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md @@ -81,6 +81,7 @@ The following example exchanges an OIDC ID token with Azure to receive an access ```yaml copy {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} name: Run Azure Login with OIDC on: [push] diff --git a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md index 5366b5acb3ee..8e048ca84cb7 100644 --- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md +++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md @@ -82,6 +82,7 @@ This action exchanges a {% data variables.product.prodname_dotcom %} OIDC token ```yaml copy {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} name: List services in GCP on: pull_request: diff --git a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-hashicorp-vault.md b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-hashicorp-vault.md index b2a016ef6461..a987c22dca2d 100644 --- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-hashicorp-vault.md +++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-hashicorp-vault.md @@ -129,6 +129,7 @@ This example demonstrates how to create a job that requests a secret from HashiC ```yaml copy {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} jobs: retrieve-secret: runs-on: ubuntu-latest @@ -163,6 +164,7 @@ By default, the Vault server will automatically revoke access tokens when their ```yaml copy {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} jobs: retrieve-secret: runs-on: ubuntu-latest diff --git a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-pypi.md b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-pypi.md index d659744c9677..026106ee0819 100644 --- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-pypi.md +++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-pypi.md @@ -56,6 +56,7 @@ The following example uses the `pypa/gh-action-pypi-publish` action to exchange ```yaml copy {% data reusables.actions.actions-not-certified-by-github-comment %} +{% data reusables.actions.actions-use-sha-pinning-comment %} jobs: release-build: runs-on: ubuntu-latest