crickets-and-comb/shared

Pin third-party actions to commit SHAs

Open

#39 opened on Mar 22, 2025

View on GitHub
 (0 comments) (0 reactions) (0 assignees)Makefile (0 forks)auto 404
bughelp wanted

Repository metrics

Stars
 (2 stars)
PR merge metrics
 (PR metrics pending)

Description

Sounds like best practice is not to simply pin to a version to get the latest patch updates, but to pin to a specific commit SHA.

For all calls to third-party actions, pin to a specific SHA, copied directly from the action source.

Kaleb: Set up a periodic review of SHAs or ensure that security alerts will issue for specific SHAs.

Contributor guide