[
https://issues.apache.org/jira/browse/BEAM-11035?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kenneth Knowles updated BEAM-11035:
-----------------------------------
Resolution: Fixed
Status: Resolved (was: Resolved)
Hello! Due to a bug in our Jira configuration, this issue had status:Resolved
but resolution:Unresolved.
I am bulk editing these issues to have resolution:Fixed
If a different resolution is appropriate, please change it. To do this, click
the "Resolve" button (you can do this even for closed issues) and set the
Resolution field to the right value.
> Pin versions of "untrusted" 3rd-party GitHub Actions
> ----------------------------------------------------
>
> Key: BEAM-11035
> URL: https://issues.apache.org/jira/browse/BEAM-11035
> Project: Beam
> Issue Type: Bug
> Components: build-system, testing
> Reporter: Tobiasz Kedzierski
> Assignee: Tobiasz Kedzierski
> Priority: P1
> Labels: security
> Time Spent: 1h
> Remaining Estimate: 0h
>
> [https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions]
> quote:
> Pinning an action to a full length commit SHA is currently the only way to
> use an action as an immutable release. Pinning to a particular SHA helps
> mitigate the risk of a bad actor adding a backdoor to the action's
> repository, as they would need to generate a SHA-1 collision for a valid Git
> object payload.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
