You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This issue proposes to pin the version of all third-party GitHub actions used in this repo leveraging a commit SHA rather than a branch or a tag.
Motivation
Using a SHA is generally suggested because of various reasons:
It makes the third-party action's code immutable: the third-party action code won't change over time with new releases so the action will always have a predictable behavior. New breaking changes won't impact our workflow.
It helps mitigate the risk of a bad actor adding a backdoor to the third-party action's repository. Pinning to a commit SHA reduces this risk of unintentionally introducing malicious code in the future ( a branch or tag of an action can be compromised, the commit SHA is immutable).
Suggestion/Improvement
Description
This issue proposes to pin the version of all third-party GitHub actions used in this repo leveraging a commit SHA rather than a branch or a tag.
Motivation
Using a SHA is generally suggested because of various reasons:
See more info here: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
Implementation (if applicable)
For example in the workflows file(s), this line:
will be changed to this:
Where
8ade135a41bc03ea155e62e844d188df1ea18608
is the full commit SHA of the latest published tag of the actions/checkout repository.The text was updated successfully, but these errors were encountered: