SaschaMann
commented
4 years ago We might want to use this instead of messing around with a CI check to check CI checks: https://docs.github.com/en/free-pro-team@latest/github/setting-up-and-managing-organizations-and-teams/disabling-or-limiting-github-actions-for-your-organization#allowing-specific-actions-to-run
It's more ongoing work but it's the safest way to do it. If you don't want to deal with keeping such a list up-to-date yourself, we could fork/vendor them to a single repo and allow people to only use actions in that repo thorugh the setting above. Then people can PR actions they need to it but @exercism/maintainers-admin have to sign-off on them. Depending on the exact setup, we could even have Dependabot update it.
It would also allow us to specify version tags instead of having to update SHAs in every single repo.
iHiD
As per: https://github.com/exercism/problem-specifications/pull/1722/files#diff-4d2cace23cf1ea1094ebdad9ef0dfa2e93c9e23056b2265af6ddec0e5899c932R75
Can we enforce (via CI) that all GHA scripts are pinned to shas?
This is a real attack vector for us for repos with tokens (which many repos now have), as someone could change the script and spam our AWS account and cost us a lot of money.