Hi! I'm Diogo and I'm back (see #1174 and #1188) hoping to offer a bit more help with security enhancements.

I noticed that your workflow bzlmod-archive.yml is using contents: write permissions while running unpinned external dependencies. This could make your source code vulnerable in case a dependency gets hijacked and changes the code your tags are pointing to.

A simple solution for this problem would be to hash-pin those sensitive actions, pointing the actions to the very specific commit of that release. It follows and example of the change:

- uses: r-lib/actions/pr-fetch@v1 
would become
- uses: r-lib/actions/pr-fetch@11a22a908006c25fe054c4ef0ac0436b1de3edbe # v1.3.1

And this would enforce that your action is always running at the expected code.

The only downsize of this solution is that it gets trickier to manually update the version of the actions as they get out-of-date, but that can be solved by using a Dependency-Update-Tool (like dependabot or renovatebot). They can be configured to send PRs updating the dependencies on the pace that is most convenient for you (which can also be "never", and you'd only get PRs in case of security updates). For the case of the hash-pinning, the PRs would still keep a comment with the human-readable version used =).

As it's a pretty simple change, I'll take the liberty and raise a PR following up this issue, it should ease your evaluation.

Cheers,

Works for me, as long as I don't have to do anything other than stamp PRs :)