When developing with CI workflows, it's common to version-pin dependencies (i.e. actions/checkout@v3). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead.
Pinning workflow dependencies by hash (or commit SHA) ensures the dependency is immutable and its behavior is guaranteed.
These dependencies can be kept up-to-date with dependabot. Whenever a new version of an Action is released, you'll receive a PR updating both its hash and the version comment.
I'll send a PR pinning the dependencies and adding dependabot along with this issue.
Sorry for not following the issue template, but I could figure out how to make it fit for this issue.
When developing with CI workflows, it's common to version-pin dependencies (i.e.
actions/checkout@v3). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead.Pinning workflow dependencies by hash (or commit SHA) ensures the dependency is immutable and its behavior is guaranteed.
These dependencies can be kept up-to-date with dependabot. Whenever a new version of an Action is released, you'll receive a PR updating both its hash and the version comment.
I'll send a PR pinning the dependencies and adding dependabot along with this issue.
Sorry for not following the issue template, but I could figure out how to make it fit for this issue.