DevOps · Flashcard

How should you reference a third-party action to guard against supply-chain tampering?

  • APin the action to a full-length commit SHA rather than a tag, since tags are mutable and movable
  • BPin the action to a signed release tag rather than a branch, since signed tags can never be altered
  • CFork the action into your own organization rather than using upstream, since forks receive no updates
  • DVendor the action source into your own repository rather than referencing it, since copies never change

Why this is the answer

Pinning to a full commit SHA is immutable, unlike a tag that can be moved to malicious code — a signed tag is still a movable ref, forking upstream is heavy-handed (and forks can update), and vendoring source is not a supported way to reference actions.

Official docs
Study in Gnoseed →