|
|
|
|
|
|
by stasge
295 days ago
|
|
|
There is a low hanging fruit in making GitHub Actions more secure (anyone from GitHub here?): - Forbid (or at least warn about) shell interpolation in composite actions and guide to using environment variables instead
- Warn unless all external actions are pinned by git commit (with customizable exceptions)
- Warn unless all used docker images are pinned by digests
|
|
|