You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When developing with CI workflows, it's common to version-pin dependencies (i.e. actions/checkout@v3). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead.
Pinning workflow dependencies by hash (or commit SHA) ensures the dependency is immutable and its behavior is guaranteed.
These dependencies can be kept up-to-date with dependabot. Whenever a new version of an Action is released, you'll receive a PR updating both its hash and the version comment.
I'll send a PR pinning the dependencies and adding dependabot along with this issue.
Sorry for not following the issue template, but I could figure out how to make it fit for this issue.
The text was updated successfully, but these errors were encountered:
When developing with CI workflows, it's common to version-pin dependencies (i.e.
actions/checkout@v3
). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead.Pinning workflow dependencies by hash (or commit SHA) ensures the dependency is immutable and its behavior is guaranteed.
These dependencies can be kept up-to-date with dependabot. Whenever a new version of an Action is released, you'll receive a PR updating both its hash and the version comment.
I'll send a PR pinning the dependencies and adding dependabot along with this issue.
Sorry for not following the issue template, but I could figure out how to make it fit for this issue.
The text was updated successfully, but these errors were encountered: