Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You and someone else pointed this out. I only use GitHub-org actions, and I just thought that surely there would be a "one version to rule them all" type rule.. how else can you audit things?

I've never seen anything recommending specifying a specific commit hash or anything for GitHub actions. It's always just v1, v2, etc.



it is documented as recommended here fwiw: https://docs.github.com/en/actions/security-for-github-actio...


And the syntax to do that is to use `foo/bar@commitshagoeshere` as in

    - uses: RafaelGSS/bad-action@e20fd1d81b3f403df56f5f06e2aa9653a6a60763 # v1.0.1
(example from https://blog.rafaelgss.dev/why-you-should-pin-actions-by-com...)


This. Using tags is acceptable only for official GitHub actions, anything else should be pinned.


OpenSSF scorecard flags dependencies (including GitHub actions) which aren’t pinned by hash

https://scorecard.dev/

https://github.com/ossf/scorecard/blob/main/docs/checks.md#p...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: