undefined | Better HN

0 pointsnulltrace2d ago0 comments

The ref pinning part is almost worse than no pinning. You can pin the action itself to a commit SHA, sure. But half the actions out there clone other repos, curl binaries, or run install scripts internally. Basically none of that is covered by your pin. You're trusting that the action author didn't stick a `curl | bash` somewhere in their own infra.

Audited our CI a few months back and found two actions doing exactly that. Pinned to SHA on our end, completely unpinned fetches happening inside.

0 comments

cedws2d ago

In this case I'm talking about what the Action did internally. The git clone inside was not pinned, but is now.

j / k navigate · click thread line to collapse

0 pointsnulltrace2d ago0 comments

Audited our CI a few months back and found two actions doing exactly that. Pinned to SHA on our end, completely unpinned fetches happening inside.

0 comments

cedws2d ago

In this case I'm talking about what the Action did internally. The git clone inside was not pinned, but is now.

j / k navigate · click thread line to collapse