karpikpl
commented
4 months ago Thanks for the post Josh. Do you have any concerns about using referenced actions in production workflow?
Open utterances-bot opened 4 months ago
karpikpl
commented
4 months ago Thanks for the post Josh. Do you have any concerns about using referenced actions in production workflow?
joshjohanning
commented
4 months ago Hey @karpikpl! I don't have any concerns with these particular Actions. You are right, though, it is important to vet marketplace actions before using them for things like last commit date (is it active?), functionality (does it work?), number of issues/pull requests (are things being resolved), number of stars (are other people using it), author, etc. The source code is there for you to be able to fork and scan with CodeQL and enable Dependabot Alerts to see if there are any potential security vulnerabilities found.
At the time of writing this, both of these Actions are created by Hubbers as OSS projects, so that generally makes me feel better too.
Tokenization / Replacing Environment Tokens in GitHub Actions | josh-ops
Replacing environment-specific configuration at deployment time
https://josh-ops.com/posts/github-actions-tokenization/