jbampton opened a new pull request, #309: URL: https://github.com/apache/whimsy/pull/309
We already pin here: https://github.com/apache/whimsy/blob/master/.github/workflows/pre-commit.yml https://github.com/ruby/setup-ruby/commit/afeafc3d1ab54a631816aba4c914a0081c12ff2f https://github.com/actions/setup-node/commit/48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e https://github.com/actions/checkout/commit/df4cb1c069e1874edd31b4311f1884172cec0e10 --- Using mutable tags like `@v4` leaves your pipelines vulnerable to supply chain attacks if a developer's account is compromised. Pinning to a unique 40-character commit SHA ensures you run immutable, unalterable code that cannot be silently modified by bad actors. This practice guarantees absolute build reproducibility because cryptographic hashes cannot be force-pushed or rewritten. It also protects your workflows from risks like repository deletion or malicious name squatting. For maximum safety, pairs SHAs with inline comments so dependency tools can still automate your version updates. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
