[
https://issues.apache.org/jira/browse/DAFFODIL-2881?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dave Thompson closed DAFFODIL-2881.
-----------------------------------
Verified the specified commit (commit d5e084c34abbd337d0951a6d33460465e38692e8)
is included in the latest pull from the daffodil repository.
Verified, via review, changes identified in the commit comment were
implemented.
Verified that Github actions are now associated with the appropriate hash
instead of the version in the dependency-graph.yml and main.yml files.
> Pin github actions to commit hash instead of tags
> -------------------------------------------------
>
> Key: DAFFODIL-2881
> URL: https://issues.apache.org/jira/browse/DAFFODIL-2881
> Project: Daffodil
> Issue Type: Bug
> Components: Infrastructure
> Reporter: Steve Lawrence
> Assignee: Steve Lawrence
> Priority: Minor
> Fix For: 3.7.0
>
>
> Github actions should be pinned to a commit hash instead of a version to
> prevent malicious actors or just accidental breaking of builds if tags are
> renamed/deleted:
> https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
