problem-specifications icon indicating copy to clipboard operation
problem-specifications copied to clipboard

Published 20 hours ago verified publisher icon exercism

CI: Add a per-track workflow that checks all GHAs are pinned to a SHA

Open iHiD opened this issue 4 years ago • 2 comments

As per: https://github.com/exercism/problem-specifications/pull/1722/files#diff-4d2cace23cf1ea1094ebdad9ef0dfa2e93c9e23056b2265af6ddec0e5899c932R75

Can we enforce (via CI) that all GHA scripts are pinned to shas?

This is a real attack vector for us for repos with tokens (which many repos now have), as someone could change the script and spam our AWS account and cost us a lot of money.

iHiD avatar Oct 20 '20 19:10 iHiD