docs: add instructions for locking down docker image to digest sha

fstaine · Jan 31, 2021 · 6618091 · 6618091
1 parent 4c8b6b5
commit 6618091
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -49,6 +49,21 @@ steps:
   - uses: docker://codfish/semantic-release-action:v1
 ```
 
+If you're security conscious, you can
+[pin the docker image down to a specific digest](https://francoisbest.com/posts/2020/the-security-of-github-actions#docker-based-actions)
+instead of using an image tag, which is a mutable reference.
+
+```yml
+steps:
+  # Reference a docker image from GitHub Container Registry
+  - uses: docker://ghcr.io/codfish/semantic-release-action@sha256:16ab6c16b1bff6bebdbcc6cfc07dfafff49d23c6818490500b8edb3babfff29e
+```
+
+Inspect the
+[image version you want here](https://github.com/users/codfish/packages/container/package/semantic-release-action)
+to find the digest. If you prefer pulling from
+[Docker Hub, check here](https://hub.docker.com/repository/docker/codfish/semantic-release-action/tags).
+
 ### Basic Usage
 
 ```yml