Pinning using a cryptographic hash or signature is considered a Best Practice to ensure that a specific version of a component is used, which can help in making builds more reproducible and trustworthy. All of our GitHub OSPO Actions do not follow the best practices in terms of being immutable ("pinnable").
Is your feature request related to a problem?
Pinning using a cryptographic hash or signature is considered a Best Practice to ensure that a specific version of a component is used, which can help in making builds more reproducible and trustworthy. All of our GitHub OSPO Actions do not follow the best practices in terms of being immutable ("pinnable").
Related OSPO Tool
stale-repos GitHub Action, issues-metrics GitHub Action, automatic-contrib-prs GitHub Action, evergreen GitHub Action, cleanowners GitHub Action, contributors GitHub Action
Describe the solution you'd like
See remediation paths at https://github.com/boostsecurityio/poutine/blob/main/docs/content/en/rules/unpinnable_action.md#remediation
Ideally we would make our actions pinnable, update our docs to encourage that practice, and ensure our CI components are all pinned.
Describe alternatives you've considered
none
Additional context
Found based on running the poutine tool