[
https://issues.apache.org/jira/browse/BEAM-11035?focusedWorklogId=496492&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-496492
]
ASF GitHub Bot logged work on BEAM-11035:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 07/Oct/20 10:59
Start Date: 07/Oct/20 10:59
Worklog Time Spent: 10m
Work Description: TobKed commented on pull request #13033:
URL: https://github.com/apache/beam/pull/13033#issuecomment-704859280
cc @potiuk @kamilwu @aaltay @tvalentyn
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 496492)
Time Spent: 20m (was: 10m)
> Pin versions of "untrusted" 3rd-party GitHub Actions
> ----------------------------------------------------
>
> Key: BEAM-11035
> URL: https://issues.apache.org/jira/browse/BEAM-11035
> Project: Beam
> Issue Type: Bug
> Components: build-system, testing
> Reporter: Tobiasz Kedzierski
> Assignee: Tobiasz Kedzierski
> Priority: P1
> Labels: security
> Time Spent: 20m
> Remaining Estimate: 0h
>
> [https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions]
> quote:
> Pinning an action to a full length commit SHA is currently the only way to
> use an action as an immutable release. Pinning to a particular SHA helps
> mitigate the risk of a bad actor adding a backdoor to the action's
> repository, as they would need to generate a SHA-1 collision for a valid Git
> object payload.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
