hipcheck icon indicating copy to clipboard operation
hipcheck copied to clipboard

Published 20 hours ago verified publisher icon mitre

Pin GitHub Actions to specific commits

Open alilleybrinker opened this issue 8 months ago • 0 comments

Right now we incorporate third-party GitHub Actions by tags, but tags in Git are mutable, so we silently upgrade to newer versions when they're published.

Instead, we should:

  • [ ] Pin third-party actions to commit hashes
  • [ ] Configure Dependabot to check for updates and open PRs when they arise
  • [ ] Audit our dependencies to see if they pin dependencies. If they don't, see if they're willing to do so, and if not, stop using them.

alilleybrinker avatar Mar 20 '25 23:03 alilleybrinker