Reference actions by commit SHA
gabibguti opened this issue · comments
Referencing actions by commit SHA in GitHub workflows, guarantees you are using an immutable version. Actions referenced by tags and branches are vulnerable to attacks, such as the tag being moved to a malicious commit, a malicious commit being pushed to the branch or typosquatting.
Reanalyzing your workflows, as done in #447, looks like most of them use actions referenced by tags or branches. To prevent the attacks mentioned above, would be good to change these references to commit SHAs. If you agree, I can open a PR.
Although there are pros and cons for using each reference (tags, branches, SHAs), GitHub understands using commit SHAs is more reliable, as does Scorecard security tool.
Additional Context
Hi again! I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)
@gabibguti Please do so.