Pin actions to a full length commit SHA ? #57
Labels
enhancement
New feature or request
Comments
|
As an example, GitHub action pinning to a full length commit SHA has been applied on asdf-quarkus |
Probably. I am in the progress of re-working this repo to make it easier for people to use on GitHub. I will add this feature to that rework |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In its documentation, https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions, GitHub recommends to pin GitHub actions to a full length commit SHA.
The Disadvantage of this is that it's more work compared to pinning actions to a tag. But it can be simplified by letting Dependabot handle the dependency upgrades.
One nice side effect is that there will be more activity to the repository. So this helps preventing scheduled GitHub Actions from becoming disabled when there is no activity for X consecutive days. Note that this is less needed by plugins in adsf-community because it seems there is a bot that generates activity every now and then (see "Update .github/CODEOWNERS" commits in https://github.com/asdf-community/asdf-graalvm/commits/master for exemple).
Should GitHub action pinning to a full length commit SHA be applied to this template repository ?
The text was updated successfully, but these errors were encountered: