| ▲ | lijok 2 hours ago | |||||||
The problem is actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 probably doesn’t do this same pinning, and the actions ecosystem is such an intertwined mess that any single compromised action can propagate to the rest | ||||||||
| ▲ | imglorp 2 hours ago | parent | next [-] | |||||||
Yes, true, but at least the fire won't spread through this one point. Hopefully all of your upstreams can be persuaded to pin also. | ||||||||
| ▲ | derfniw 2 hours ago | parent | prev [-] | |||||||
Well, it is a git commit hash of the action repo that contains the transpiled/bundled javascript. Like: https://github.com/actions/checkout/tree/11bd71901bbe5b1630c... So I'm pretty sure that for the same commit hash, I'll be executing the same content. | ||||||||
| ||||||||