Pin the Github Action dependencies to the hash according to secure software development best practices
recommended by the Open Source Security Foundation (OpenSSF).
When developing a CI workflow, it's common to version-pin dependencies (i.e. actions/checkout@v4). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead.
Pinning workflow dependencies by hash ensures the dependency is immutable and its behavior is guaranteed.
This PR also adds a dependabot which will perform weekly checks of the Github actions used in CI.
When a newer version is found a pull request is opened to suggest a lift.
Pin the Github Action dependencies to the hash according to secure software development best practices recommended by the Open Source Security Foundation (OpenSSF).
When developing a CI workflow, it's common to version-pin dependencies (i.e. actions/checkout@v4). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead. Pinning workflow dependencies by hash ensures the dependency is immutable and its behavior is guaranteed.
This PR also adds a dependabot which will perform weekly checks of the Github actions used in CI. When a newer version is found a pull request is opened to suggest a lift.
See #42 or https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool