Hey, it's Pedro (see #562) and I'm back with a new security suggestion!
When developing with CI workflows, it's common to version-pin dependencies (i.e. actions/checkout@v3). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead.
Pinning workflow dependencies by hash ensures the dependency is immutable and its behavior is guaranteed.
These hashes can be automatically updated by dependabot. Whenever new versions Actions are released, you'll receive a single PR updating all of their hashes and version comments at once (see this example).
I'll send a PR pinning the Actions along with this issue.
Hey, it's Pedro (see #562) and I'm back with a new security suggestion!
When developing with CI workflows, it's common to version-pin dependencies (i.e.
actions/checkout@v3
). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead.Pinning workflow dependencies by hash ensures the dependency is immutable and its behavior is guaranteed.
These hashes can be automatically updated by dependabot. Whenever new versions Actions are released, you'll receive a single PR updating all of their hashes and version comments at once (see this example).
I'll send a PR pinning the Actions along with this issue.