|
|
|
|
|
|
by turtleyacht
464 days ago
|
|
|
Dependabot has never recommended a SHA hash for a Github Action for me. The suggested pull request updates the tag from @v4 to @v4.2.1 or similar. But tags are said to be risky too [1], because tags can "float." The SHA hash would eventually be out of date. Wonder how a "supply chain risk expiration" service would recommend the next safest version to upgrade to. Otherwise, it will always be a manual check among multiple vendors. (Or, just pin the version one is happy with.) [1] https://docs.github.com/en/actions/security-for-github-actio... |
|
|