joycebrum
commented
1 year ago Yeah the attacker can hijack or tag rename any version if the action repo got compromised.
Although the actions are official they are also open source projects and unfortunatelly can be compromised as any other project could.
But it is important to noticed that this is just an extra precaution (since the token permission is already read only, no much harm could be done).
eliben
Issue #505
Example of success run with hash pin https://github.com/joycebrum/pycparser/actions/runs/5006562582
Hashes: