Workflow Uses Moving Target Branch
Closed this issue · 1 comments
tillmann-crabnebula commented
Is there a specific reason for the workflow to target the master branch of the checkout action?
IMHO this moving target can break workflows and is prone to supply chain attacks this project aims to manage.
I am used to either using the release tag or a commit hash like:
- uses: actions/checkout@v4