Pin the the jenseng/dynamic-uses transitive GH Action dependency to a hash#48
Conversation
|
@HarshCasper Any chance we could have this reviewed and merged in? |
alexrashed
left a comment
alexrashed
left a comment
There was a problem hiding this comment.
Thanks a lot for the contribution, and thanks for the push towards pinned action references! That totally makes sense, and we could maybe directly move to Dependabot as well to make sure that we also regularly update to new releases of the actions.
I just think there is a bit of a mixup with the selected sha hash (see comment), afterwards we can merge this one right in and we can take over the Dependabot onboarding afterwards.
alexrashed
left a comment
alexrashed
left a comment
There was a problem hiding this comment.
Unfortunately, the CI currently does not properly work for runs from forks (since it cannot checkout the action properly). I updated all the digest pins and introduced a DependaBot config. I will merge this for now and verify that the CI works properly on main.
3 participants
With the recent supply chain attack on a popular GH Action, I noticed that this action has a transitive dependency on jenseng/dynamic-uses (which is a really clever chunk of code!).
GitHub recommends pinning to a SHA to protect against these sorts of attacks which is what this PR does.