Summary
All GitHub Actions in the workflow files currently use either mutable tags (e.g., @v6) or SHA pins without version comments. This should be standardized to use SHA pins with version comments for better security and maintainability.
Problem
- Mutable tags can be moved to point to different (potentially malicious) code
- SHA pins without version comments are hard to audit and update
Proposed Solution
Convert all action references to the format:
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
Files affected
.github/workflows/codeql-analysis.yml.github/workflows/ci.yml.github/workflows/lint.yml.github/workflows/e2e.yml.github/workflows/release.yaml
Summary
All GitHub Actions in the workflow files currently use either mutable tags (e.g.,
@v6) or SHA pins without version comments. This should be standardized to use SHA pins with version comments for better security and maintainability.Problem
Proposed Solution
Convert all action references to the format:
Files affected
.github/workflows/codeql-analysis.yml.github/workflows/ci.yml.github/workflows/lint.yml.github/workflows/e2e.yml.github/workflows/release.yaml