We should pin our third party github actions to a specific commit, rather than a tag as we currently do.
This is a cybersecurity measure recommended by GitHub:
The individual jobs in a workflow can interact with (and compromise) other jobs. For example, a job querying the environment variables used by a later job, writing files to a shared directory that a later job processes, or even more directly by interacting with the Docker socket and inspecting other running containers and executing commands in them.
This means that a compromise of a single action within a workflow can be very significant, as that compromised action would have access to all secrets configured on your repository, and may be able to use the GITHUB_TOKEN to write to the repository. Consequently, there is significant risk in sourcing actions from third-party repositories on GitHub. For information on some of the steps an attacker could take, see Secure use reference.
In our workflows, we have some third party actions used like such:
- name: Install uv
uses: astral-sh/setup-uv@v7
We should pin our third party github actions to a specific commit, rather than a tag as we currently do.
This is a cybersecurity measure recommended by GitHub:
In our workflows, we have some third party actions used like such: