rossjrw
commented
5 months ago Did a little research into whether or not this is considered a best practice. The answer I'm getting is, overwhelmingly, yes - it was https://github.com/renovatebot/renovate/issues/7537 that ended up convincing me.
Thanks for the contribution @erikwrede, will merge once I've verified the SHAs!
Thanks for this great action!
Since the action is dependent on some other actions (
JamesIves/github-pages-deploy-action@v4,marocchino/sticky-pull-request-comment@v2), it may be succeptible to some supply chain attacks, see here: https://www.rwx.com/blog/github-actions-is-vulnerable-to-supply-chain-attacksSome malicious actor could take over the mentioned dependencies and change the v2 release to any arbitrary release without anyone noticing. That's why it's a good practice to pin your actions and their dependencies (some orgs even enforce this).
When pinning this action to a specific commit in the repo settings, you still need to pin the dependencies to
v2/v4and cannot set them to a specific commit since the action definition requires versions.This PR mitigates the supply chain attack risk by pinning all dependencies to a specific version. I understand that this slightly increases maintenance efforts, as minor- and patch- updates to the upstream actions need to be done by hand. However, I advocate that in the spirit of security, this change is useful. Please LMK your thougts.