Hello. This action downloads the latest git-version binary by default, even when the action is pinned to a specific SHA. If a malicious contributor creates a release in the future, many users would be exposed to the compromised binary. Enabling immutable releases in this repository should mitigate this risk for future releases.
|
if [ "${{ inputs.tool-version }}" = "latest" ]; then |
|
download_url="$(curl -Ls https://api.github.com/repos/codacy/git-version/releases/latest | jq -r .assets[0].browser_download_url)" |
|
else |
|
download_url="https://github.com/codacy/git-version/releases/download/${{ inputs.tool-version }}/git-version" |
|
fi |
|
curl -Ls "$download_url" > /usr/local/bin/git-version |
|
chmod +x /usr/local/bin/git-version |
Hello. This action downloads the latest git-version binary by default, even when the action is pinned to a specific SHA. If a malicious contributor creates a release in the future, many users would be exposed to the compromised binary. Enabling immutable releases in this repository should mitigate this risk for future releases.
git-version/action.yml
Lines 55 to 61 in e81d6fd