Y
Hacker News
new
|
ask
|
show
|
jobs
by
deepsun
56 days ago
Maybe it's better to pull that dependency source in your action altogether?
2 comments
rmunn
56 days ago
I hadn't previously considered vendoring
GHA dependencies
, but yes, that might be a good idea. Perhaps not in all circumstances, but for anything that might be at risk of supply-chain compromise, the same arguments that apply to NPM apply to GHA.
link
pabs3
56 days ago
Better to treat it as a dependency still, but audit each new commit/release as it comes in, and pin to the exact last commit id that you verified.
link
deepsun
54 days ago
Yes, but no one audits new dependencies versions usually. Only Release Notes mostly.
link