Tobiasz Kedzierski created BEAM-11035:
-----------------------------------------
Summary: Pin versions of "untrusted" 3rd-party GitHub Actions
Key: BEAM-11035
URL: https://issues.apache.org/jira/browse/BEAM-11035
Project: Beam
Issue Type: Bug
Components: build-system, testing
Reporter: Tobiasz Kedzierski
Assignee: Tobiasz Kedzierski
[https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions]
quote:
Pinning an action to a full length commit SHA is currently the only way to use
an action as an immutable release. Pinning to a particular SHA helps mitigate
the risk of a bad actor adding a backdoor to the action's repository, as they
would need to generate a SHA-1 collision for a valid Git object payload.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
