reduxjs/redux

[security] Reference actions by commit SHA

gabibguti opened this issue · 1 comments

New Features

What is the new or updated feature that you are suggesting?

Referencing actions by commit SHA in workflows to keep your repository safe against supply-chain attacks.

Why should this feature be included?

I'd like us to reference actions by commit SHA in workflows to ensure we are using an immutable version. Actions referenced by tags and branches are vulnerable to attacks, such as moving a tag to a malicious commit, pushing a malicious commit to the branch, or typosquatting.

While each reference has its advantages and disadvantages, GitHub acknowledges that using commit SHAs is more reliable, as does Scorecard security tool.

What docs changes are needed to explain this?

I'm not sure.

Additional context

If you agree with this security measure suggestion, I can open a PR.

About me, I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)

We don't use Actions for publishing on npm, so this isn't a practical vulnerability for us. Thanks for keeping an eye out!