You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Referencing actions by commit SHA in GitHub workflows guarantees you are using an immutable version. Actions referenced by tags and branches are more vulnerable to attacks, such as the tag being moved to a malicious commit or a malicious commit being pushed to the branch.
I recently recommended #126 and, like that change, this one also a security good-practice. If you agree, we can update, for example, actions/setup-go@v4 to actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe followed by a comment # v4.1.0 to keep the version readable and I can support you by opening a PR.
Additional Context
Hi! I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)
The text was updated successfully, but these errors were encountered:
Referencing actions by commit SHA in GitHub workflows guarantees you are using an immutable version. Actions referenced by tags and branches are more vulnerable to attacks, such as the tag being moved to a malicious commit or a malicious commit being pushed to the branch.
Although there are pros and cons for each reference, GitHub understands using commit SHAs is more reliable, as does Scorecard security tool.
I recently recommended #126 and, like that change, this one also a security good-practice. If you agree, we can update, for example,
actions/setup-go@v4toactions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbefollowed by a comment# v4.1.0to keep the version readable and I can support you by opening a PR.Additional Context
Hi! I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)
The text was updated successfully, but these errors were encountered: