Open webmaster128 opened 2 months ago
Hi @webmaster128!
My recommendation is to follow https://autofix.ci/setup, which always has the latest version. I would not worry about updating as long as things work. If we should become aware of a security issue, we'll disclose it on GitHub and Dependabot will come poke at you. :)
We suggest to pin the action to a specific hash to make your workflow more resilient against supply chain attacks. A tag is mutable can be modified to point to a different commit. If a bad actor would somehow manage to gain access to the autofix repository in the future, they could execute malicious code in your pipeline if you use @v1
. This can be mitigated by pinning to a specific commit instead. You can find more details at https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions.
The previous paragraph is not specific to autofix.ci - this basically applies to any third-party GitHub action. I'm just trying to nudge folks to secure-by-default . :)
Heyhey! Love this product idea and want to give it a try. However, I see many examples contain a hash for the version of autofix. I think this is very inconvenient as those hashes are different and I have no idea if they are very outdated or the right ones. E.g.
here, or
here, and
here.
I am not horribly familiar with versioning of GitHub actions but as a user I would ideally like to do something like give me the latest ^1.0.0. But the
v1
tag seems to be a v1.0.0 and not moving.I will try v1.3.1 for now, hoping this is a reasonable choice. Cheers!