← Back to context Comment by barrkel 7 days ago Transitive dependencies? 2 comments barrkel Reply Kovah 7 days ago Yeah, only works if all used Actions would use SHAs too, which is not the case.Positive example: https://github.com/codecov/codecov-action/blob/96b38e9e60ee6... Negative example: https://github.com/armbian/build/blob/54808ecff253fb71615161... cedws 6 days ago I've also found many Actions that do other dodgy stuff, like pulling and executing unpinned scripts from external websites, or installing unpinned binaries from GitHub releases. Pinning an Action isn't enough, you have to audit it.
Kovah 7 days ago Yeah, only works if all used Actions would use SHAs too, which is not the case.Positive example: https://github.com/codecov/codecov-action/blob/96b38e9e60ee6... Negative example: https://github.com/armbian/build/blob/54808ecff253fb71615161... cedws 6 days ago I've also found many Actions that do other dodgy stuff, like pulling and executing unpinned scripts from external websites, or installing unpinned binaries from GitHub releases. Pinning an Action isn't enough, you have to audit it.
cedws 6 days ago I've also found many Actions that do other dodgy stuff, like pulling and executing unpinned scripts from external websites, or installing unpinned binaries from GitHub releases. Pinning an Action isn't enough, you have to audit it.
Yeah, only works if all used Actions would use SHAs too, which is not the case.
Positive example: https://github.com/codecov/codecov-action/blob/96b38e9e60ee6... Negative example: https://github.com/armbian/build/blob/54808ecff253fb71615161...
I've also found many Actions that do other dodgy stuff, like pulling and executing unpinned scripts from external websites, or installing unpinned binaries from GitHub releases. Pinning an Action isn't enough, you have to audit it.