| ▲ | deepsun a day ago | |
Maybe it's better to pull that dependency source in your action altogether? | ||
| ▲ | rmunn a day ago | parent | next [-] | |
I hadn't previously considered vendoring GHA dependencies, but yes, that might be a good idea. Perhaps not in all circumstances, but for anything that might be at risk of supply-chain compromise, the same arguments that apply to NPM apply to GHA. | ||
| ▲ | pabs3 a day ago | parent | prev [-] | |
Better to treat it as a dependency still, but audit each new commit/release as it comes in, and pin to the exact last commit id that you verified. | ||