We recently changed from versions (@v4) to hashes (b7bcd026f18772e44fe1026d729e1611cc435d47). This offers a strong defense against supply chain attacks. however, we should continue to update these actions to be current in an automated fashion.
like we did with CHT Core recently, we should add a dependabot action that updates the action hashes and includes a cool down(see CHT Core's PR's dependabot file for an example) . This way we can both keep the actions up to date, continue to use hashes, but not rush to implement something that may have a vulnerability by using the 7 day cooldown
We recently changed from versions (
@v4) to hashes (b7bcd026f18772e44fe1026d729e1611cc435d47). This offers a strong defense against supply chain attacks. however, we should continue to update these actions to be current in an automated fashion.like we did with CHT Core recently, we should add a dependabot action that updates the action hashes and includes a cool down(see CHT Core's PR's dependabot file for an example) . This way we can both keep the actions up to date, continue to use hashes, but not rush to implement something that may have a vulnerability by using the 7 day cooldown