You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
The text was updated successfully, but these errors were encountered:
rdimaio
changed the title
Security: Third-party actions are not pinned by full commit SHA
Security: Third-party workfloe actions are not pinned by full commit SHA
Apr 19, 2024
rdimaio
changed the title
Security: Third-party workfloe actions are not pinned by full commit SHA
Security: Third-party GH workflow actions are not pinned by full commit SHA
Apr 19, 2024
rdimaio
added a commit
to rdimaio/rucio
that referenced
this issue
Apr 19, 2024
See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions:
The text was updated successfully, but these errors were encountered: