gabibguti opened a new pull request, #224: URL: https://github.com/apache/commons-bcel/pull/224
Referencing actions by commit SHA in GitHub workflows, guarantees you are using an immutable version. In contrast, actions referenced by tags and branches are vulnerable to attacks, such as the tag being moved to a malicious commit, a malicious commit being pushed to the branch or typosquatting. Although there are pros and cons for each reference, GitHub acknowledges that [using commit SHAs is more reliable](https://docs.github.com/en/actions/learn-github-actions/finding-and-customizing-actions#using-shas), as does [Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) security tool. Currently, in this repository, we use actions such as `actions/[email protected]` and `github/codeql-action/init@v2`. Most actions are referenced by tags. To prevent the attacks mentioned above, it would be good to change the tag references to commit SHAs as suggested in this PR. ##### Additional Context Hi! I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
