| ▲ | derfniw 2 hours ago | |
Well, it is a git commit hash of the action repo that contains the transpiled/bundled javascript. Like: https://github.com/actions/checkout/tree/11bd71901bbe5b1630c... So I'm pretty sure that for the same commit hash, I'll be executing the same content. | ||
| ▲ | hobofan 2 hours ago | parent [-] | |
This is true specifically for actions/checkout, but composite actions can have other actions as dependencies, and unless the composite action pins the versions of its dependencies, it is vulnerable for this attack. This article[0] gives a good overview of the challenges, and also has a link to a concrete attack where this was exploited. [0]: https://nesbitt.io/2025/12/06/github-actions-package-manager... | ||