Closed sjha2048 closed 5 months ago
hi @mr-tz, any particular reason for using commit hashes instead of version numbers?
could you also update the setup-python action
sure.
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
TIL! Thanks, will update shortly.
Thanks, there's still a few to fix in the build and CI workflows. Let me know if you want to fix them as well or if we should track them separately.
works for me either way, can you help me in listing them? I'll also go though the logs, if there are too many changes then I'll raise separate PRs
@mr-tz I have updated these actions.
Checklist
closes #1967