I'd like to SHA-pin third-party actions to reduce security concerns, but I just want to make sure it's unpinned intentionally or not.
So, considering recent supply-chain attacks like tj-actions/reviewdog, it's important to sha-pin reference to third-party actions.
As priot art, other projects on rust-lang do it (with renovate enabled), like crates.io: https://github.com/rust-lang/crates.io/blob/main/.github/workflows/ci.yml
One minus point is that it becomes harder to maintain by hands. Though it can be resolved by using Renovate or something else. I'm a bit concerned it'll add some burdens for us, but it'd be acceptable I guess (we can rate-limit updates to reduce maintenance needs, for example).
But yeah, I think this is a discussion point hence I opened this issue.
@tgross35 any thoughts on this?
I'd like to SHA-pin third-party actions to reduce security concerns, but I just want to make sure it's unpinned intentionally or not.
So, considering recent supply-chain attacks like tj-actions/reviewdog, it's important to sha-pin reference to third-party actions.
As priot art, other projects on rust-lang do it (with renovate enabled), like crates.io: https://github.com/rust-lang/crates.io/blob/main/.github/workflows/ci.yml
One minus point is that it becomes harder to maintain by hands. Though it can be resolved by using Renovate or something else. I'm a bit concerned it'll add some burdens for us, but it'd be acceptable I guess (we can rate-limit updates to reduce maintenance needs, for example).
But yeah, I think this is a discussion point hence I opened this issue.
@tgross35 any thoughts on this?