Skip to content

fix: pin workflow actions to commit SHA#129

Merged
ShutdownRepo merged 1 commit into
ThePorgs:mainfrom
dashingDragon:fix-workflow-actions
May 19, 2026
Merged

fix: pin workflow actions to commit SHA#129
ShutdownRepo merged 1 commit into
ThePorgs:mainfrom
dashingDragon:fix-workflow-actions

Conversation

@dashingDragon

@dashingDragon dashingDragon commented Apr 10, 2026

Copy link
Copy Markdown
Contributor

Description

Tags and branches in GitHub are mutable; a repository owner or an attacker who gains access to the upstream action repository can move a tag to a different commit. This creates a supply chain risk where malicious code could be introduced into our CI/CD environment without changing our workflow files.

Related issues

None found.

Point of attention

Make sure that the pinned versions are correct.

@dashingDragon
fix: pin workflow actions to commit SHA
c13a5c8 
Tags and branches in GitHub are mutable; a repository owner or an attacker who gains access to the upstream action repository can move a tag to a different commit. This creates a supply chain risk where malicious code could be introduced into our CI/CD environment without changing our workflow files.
@ShutdownRepo ShutdownRepo merged commit 822a70f into ThePorgs:main May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ShutdownRepo ShutdownRepo ShutdownRepo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dashingDragon @ShutdownRepo