shreemaan-abhishek opened a new issue, #12938: URL: https://github.com/apache/apisix/issues/12938
### Description ## Pin GitHub Actions to specific SHA ### Description Currently, several workflows in this repository use mutable tags (e.g., `@v3` or `@master`) for third-party GitHub Actions. This leaves the project vulnerable to supply chain attacks where a tag could be shifted to point to malicious code. ### Why this is important * **Immutability:** Commit SHAs are immutable. Once pinned, the code cannot be changed by a third party. * **Security:** It prevents "Tag Shifting" attacks where a compromised maintainer account updates a tag to include malware. * **Stability:** Prevents our CI/CD from breaking if an upstream action releases a buggy version under an existing tag. ### Task Update the workflows in `.github/workflows/` to use full length commit SHAs instead of tags. **Example Change:** - `uses: actions/checkout@v4` + `uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683` # v4.2.2 ref: - [GitHub Security Best Practices](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
