Description
Currently, most workflows in this repository use floating major-version tags for GitHub Actions (e.g., actions/checkout@v4, actions/setup-node@v3). While convenient, this approach poses a supply chain security risk: a tag can be force-pushed by the action author (or a compromised account), potentially introducing malicious code into our CI/CD pipelines.
Proposed Solution
Pin all GitHub Action references to their full commit SHAs with inline comments indicating the version:
# Instead of:
uses: actions/checkout@v4
# Use:
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.2.2
Benefits
- Immutability: Commit SHAs cannot be altered, ensuring the exact code is executed
- Transparency: Version comments maintain readability
- Security: Eliminates risk of tag-based supply chain attacks
Scope
This affects multiple workflow files in .github/workflows/:
template-sync.yml- And other workflow files across the repository
References
Description
Currently, most workflows in this repository use floating major-version tags for GitHub Actions (e.g.,
actions/checkout@v4,actions/setup-node@v3). While convenient, this approach poses a supply chain security risk: a tag can be force-pushed by the action author (or a compromised account), potentially introducing malicious code into our CI/CD pipelines.Proposed Solution
Pin all GitHub Action references to their full commit SHAs with inline comments indicating the version:
Benefits
Scope
This affects multiple workflow files in
.github/workflows/:template-sync.ymlReferences