Summary
All third-party GitHub Actions in this repository's workflows are currently referenced by mutable version tags (e.g., actions/checkout@v4). This is a supply-chain security risk — tags can be force-pushed to point to malicious code.
Recommendation
Pin all third-party GitHub Actions to their full commit SHA while preserving the version in a comment for readability:
# Before (insecure)
uses: actions/checkout@v4
# After (secure)
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
Affected Files
.github/workflows/dependency-review.yml.github/workflows/frontend.yml.github/workflows/lint.yml.github/workflows/publish-docker.yml.github/workflows/spellcheck.yml.github/workflows/tests.yml
Actions Pinned
15 action references across 6 workflow file(s).
References
Summary
All third-party GitHub Actions in this repository's workflows are currently referenced by mutable version tags (e.g.,
actions/checkout@v4). This is a supply-chain security risk — tags can be force-pushed to point to malicious code.Recommendation
Pin all third-party GitHub Actions to their full commit SHA while preserving the version in a comment for readability:
Affected Files
.github/workflows/dependency-review.yml.github/workflows/frontend.yml.github/workflows/lint.yml.github/workflows/publish-docker.yml.github/workflows/spellcheck.yml.github/workflows/tests.ymlActions Pinned
15 action references across 6 workflow file(s).
References