Comment by OptionOfT

3 days ago

You can pin a GitHub Action to a SHA, but the GitHub Action can be a Docker one pointing to a mutable Docker image label.

Example:

https://github.com/github-community-projects/issue-metrics/b...

> Why doesn't GitHub just enforce immutable versioning for actions?

You can't. They can execute arbitrary code. They can download another bash file via Curl and execute that.

1 comment

OptionOfT

Reply
zufallsheld  3 days ago

> You can't. They can execute arbitrary code. They can download another bash file via Curl and execute that.

Presumably you'd check the code of the action before you include it (and then don't use an action with non-pinned versions). This way you know the action won't execute arbitrary code for this version and won't get any other code because of version pinning.

The docker action you linked is ironic in this regard since every other version in the code seems to be pinned except the one you linked to.