This repo currently pins GitHub Actions using tags, which are immutable.
Github recommends using SHA hashes to lock them down more explicitly:
https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions
There are tools for automating this, as well as working out human-readable versions for the SHA commits. Dependabot can also be configured to automatically update action versions using SHA hashes when updates are available.
This repo currently pins GitHub Actions using tags, which are immutable.
Github recommends using SHA hashes to lock them down more explicitly:
https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions
There are tools for automating this, as well as working out human-readable versions for the SHA commits. Dependabot can also be configured to automatically update action versions using SHA hashes when updates are available.