Hash-pin workflow GitHub Actions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxml |
Fix Released
|
Medium
|
scoder |
Bug Description
Hey, it's Pedro (see [1] and [2]) and I'm back with another security suggestion.
When developing with CI workflows, it's common to version-pin dependencies (i.e. `actions/
Pinning workflow dependencies by hash ensures the dependency is immutable and its behavior is guaranteed.
These hashes will be automatically updated by dependabot. Whenever a new version of an Action is released, you'll receive a PR updating both its hash and the version comment. In fact, I can modify the dependabot config to receive a single PR with all new Actions instead of one PR per Action (see [3] for an example PR).
I'll send a PR pinning the Actions along with this issue.
[1]: https:/
[2]: https:/
[3]: https:/
Changed in https:/ /github. com/lxml/ lxml/pull/ 386