Using tags like @v1, @master, or @latest allows the action code to change without your review. If the action author is compromised, your pipeline is compromised.
Pin to the immutable Commit SHA.
❌ Bad
uses: actions/checkout@v4
✅ Good
uses: actions/checkout@b4ffde6 # v4.1.1
All existing workflows shall be updated to pin the version of the actions to a specific commit SHA.
Using tags like @v1, @master, or @latest allows the action code to change without your review. If the action author is compromised, your pipeline is compromised.
Pin to the immutable Commit SHA.
❌ Bad
uses: actions/checkout@v4
✅ Good
uses: actions/checkout@b4ffde6 # v4.1.1
All existing workflows shall be updated to pin the version of the actions to a specific commit SHA.