Use commit SHA instead of branch name for third-party actions

redhat-developer / app-services-sdk-js

RHOAS SDK for JavaScript and Typescript

https://redhat-developer.github.io/app-services-sdk-js

Apache License 2.0

3 stars 16 forks source link

Use commit SHA instead of branch name for third-party actions #620

Closed andreaTP closed 1 year ago

andreaTP commented 1 year ago

Hi! Following the GH Action Security Hardening guide we should use the commit SHA instead of the branch or tag for any third-party untrusted action.

rkpattnaik780 commented 1 year ago

Fixed in #644