2026-04-30 08:17:31 +00:00
4 changed files with 76 additions and 2 deletions
--- a/.forgejo/workflows/validate-shared-actions.yml
+++ b/.forgejo/workflows/validate-shared-actions.yml
@ -9,7 +9,7 @@ permissions:

 jobs:
  validate-shared-actions:
-    runs-on: stackit-ubuntu-20
+    runs-on: stackit-ubuntu-22
    steps:
      - name: Checkout
        uses: actions/checkout@v4
--- a/README.md
+++ b/README.md
@ -1,14 +1,19 @@
 # shared-actions

-Shared composite actions for Forgejo CI/CD pipelines.
+Shared actions for Forgejo CI/CD pipelines.

 ## Actions

 | Action | Description |
 |--------|-------------|
 | [aws-configure](aws-configure) | Authenticate with AWS via OIDC |
+| [checkout](checkout) | Action for checking out a repository |


+## Security
+
+Where third-party Forgejo/GitHub Actions are used internally, they are pinned to exact commit hashes rather than mutable tags to prevent supply chain attacks.
+
 ## Usage

 Reference actions from your project's workflow:
--- a/checkout/README.md
+++ b/checkout/README.md
@ -0,0 +1,24 @@
+# checkout
+
+Composite wrapper around actions/checkout pinned to a specific commit SHA to prevent supply chain attacks via tag or branch hijacking.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `ref` | No | `''` | Branch, tag, or SHA to checkout |
+| `repository` | No | `${{ github.repository }}` | Repository name with owner |
+| `token` | No | `${{ github.token }}` | Personal access token to fetch the repository |
+| `path` | No | `''` | Relative path under `$GITHUB_WORKSPACE` to place the repository |
+| `fetch-depth` | No | `1` | Number of commits to fetch. `0` fetches all history |
+| `submodules` | No | `false` | Whether to checkout submodules (`true`, `false`, or `recursive`) |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.forgejo/actions/checkout@v1
+```
+
+## Notes
+
+- Pinned to `actions/checkout` commit SHA `de0fac2e` (v6.0.2) to prevent supply chain attacks via tag or branch hijacking.
--- a/checkout/action.yml
+++ b/checkout/action.yml
@ -0,0 +1,45 @@
+name: Schmalz Checkout
+description: >
+  Composite wrapper around actions/checkout pinned to a specific commit SHA
+  to prevent supply chain attacks via tag or branch hijacking.
+
+inputs:
+  ref:
+    description: The branch, tag, or SHA to checkout. Defaults to the ref that triggered the workflow.
+    required: false
+    default: ''
+  repository:
+    description: Repository name with owner (e.g. actions/checkout). Defaults to the current repository.
+    required: false
+    default: ${{ github.repository }}
+  token:
+    description: Personal access token used to fetch the repository.
+    required: false
+    default: ${{ github.token }}
+  path:
+    description: Relative path under $GITHUB_WORKSPACE to place the repository.
+    required: false
+    default: ''
+  fetch-depth:
+    description: Number of commits to fetch. 0 fetches all history.
+    required: false
+    default: '1'
+  submodules:
+    description: Whether to checkout submodules. true, false, or recursive.
+    required: false
+    default: 'false'
+
+runs:
+  using: composite
+  steps:
+    # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
+    # actions/checkout v6.0.2 — https://code.forgejo.org/actions/checkout/commits/tag/v6.0.2
+    - name: Checkout repository
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      with:
+        ref: ${{ inputs.ref }}
+        repository: ${{ inputs.repository }}
+        token: ${{ inputs.token }}
+        path: ${{ inputs.path }}
+        fetch-depth: ${{ inputs.fetch-depth }}
+        submodules: ${{ inputs.submodules }}