Skip to content

🔒 Pin Docker image in GitHub Actions to prevent supply chain attacks#8

Open
jsem-nerad wants to merge 1 commit into
mainfrom
security-pin-github-actions-docker-image-18314711274942484256
Open

🔒 Pin Docker image in GitHub Actions to prevent supply chain attacks#8
jsem-nerad wants to merge 1 commit into
mainfrom
security-pin-github-actions-docker-image-18314711274942484256

Conversation

@jsem-nerad

@jsem-nerad jsem-nerad commented May 23, 2026

Copy link
Copy Markdown
Owner

🎯 What: The devatherock/minify-js Docker image in .github/workflows/minify-js.yml was using a mutable tag (3.1.0), which has been replaced with its corresponding immutable SHA-256 digest.
⚠️ Risk: Using mutable tags for Docker images in CI/CD pipelines is a security risk. If the tag is maliciously updated to point to a compromised image, the CI workflow would automatically pull and execute it, potentially leading to a supply chain attack.
🛡️ Solution: The fix replaces the :3.1.0 tag with @sha256:cca5837fabfe5d11d8e751080f9a0de838ebfc58e6fc382c421a22d751b075c0, ensuring that the workflow consistently and securely pulls the exact version of the image intended, mitigating the risk of supply chain vulnerabilities.

PR created automatically by Jules for task 18314711274942484256 started by @jsem-nerad

@google-labs-jules @jsem-nerad
🔒 Pin devatherock/minify-js Docker image in GitHub Actions to SHA digest
1a383ca 
This change pins the `devatherock/minify-js` Docker image used in the `.github/workflows/minify-js.yml` workflow to a specific SHA digest instead of using the mutable `3.1.0` tag. This is a security best practice to prevent potential supply chain attacks where a mutable tag could be hijacked or replaced to point to a compromised image.

Co-authored-by: jsem-nerad <88319121+jsem-nerad@users.noreply.github.com>
@google-labs-jules

google-labs-jules Bot commented May 23, 2026

Copy link
Copy Markdown

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

Copilot AI review requested due to automatic review settings May 23, 2026 16:20
Copilot AI reviewed May 23, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the CI workflow by pinning the devatherock/minify-js Docker image used in the minify-js GitHub Actions workflow to an immutable SHA-256 digest, reducing supply-chain risk from mutable tags.

Changes:

  • Replace docker://devatherock/minify-js:3.1.0 with docker://devatherock/minify-js@sha256:cca5837f... in the workflow step that performs JS minification.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jsem-nerad