jmeridth
commented
6 months ago Turned on OSSF Scorecard on stale-repos and the results agree with this issue. 😄 Will work through them all in a PR per repo.
Closed zkoppert closed 6 months ago
jmeridth
commented
6 months ago Turned on OSSF Scorecard on stale-repos and the results agree with this issue. 😄 Will work through them all in a PR per repo.
jmeridth
commented
6 months ago This is complete
Is your feature request related to a problem?
Pinning using a cryptographic hash or signature is considered a Best Practice to ensure that a specific version of a component is used, which can help in making builds more reproducible and trustworthy. All of our GitHub OSPO Actions do not follow the best practices in terms of being immutable ("pinnable").
Related OSPO Tool
stale-repos GitHub Action, issues-metrics GitHub Action, automatic-contrib-prs GitHub Action, evergreen GitHub Action, cleanowners GitHub Action, contributors GitHub Action
Describe the solution you'd like
See remediation paths at https://github.com/boostsecurityio/poutine/blob/main/docs/content/en/rules/unpinnable_action.md#remediation
Ideally we would make our actions pinnable, update our docs to encourage that practice, and ensure our CI components are all pinned.
Describe alternatives you've considered
none
Additional context
Found based on running the poutine tool