Docker-based GitHub actions are built every time [1]. This means that if the nnichols/clojure-dependency-update-action:latest image is compromised, it could result in arbitrary code execution. Pinning the image to its current SHA256 digest [2] removes that attack vector.
nnichols
commented
2 months ago
Docker-based GitHub actions are built every time [1]. This means that if the
nnichols/clojure-dependency-update-action:latestimage is compromised, it could result in arbitrary code execution. Pinning the image to its current SHA256 digest [2] removes that attack vector.[1] https://docs.github.com/en/actions/creating-actions/about-custom-actions#docker-container-actions [2] https://hub.docker.com/layers/nnichols/clojure-dependency-update-action/latest/images/sha256-06c47e969b386796a09f296d80af705c1d8b578cae41ebe018b08a0f657d4081?context=explore
Proposed Changes
Pre-merge Checklist