Currently it is necessary to pin an action to a commit SHA, to avoid supply chain attacks as happened with tj-actions/changed-files last year, where all tags in the repo were changed to point to a malicious commit. The downside of this is that it isn't very readable what the current version of an action is.
GitHub's immutable releases feature is now generally available (announcement, docs). This makes it impossible to change a release or tag referenced by a release once published. Then, it would once again be safe to reference an action by tag, at least for full-length tags like v8.1.0. Short tags, like v8 are mutable by definition, so it doesn't help here.
Would it be possible to enable immutable releases for this repo?
Currently it is necessary to pin an action to a commit SHA, to avoid supply chain attacks as happened with
tj-actions/changed-fileslast year, where all tags in the repo were changed to point to a malicious commit. The downside of this is that it isn't very readable what the current version of an action is.GitHub's immutable releases feature is now generally available (announcement, docs). This makes it impossible to change a release or tag referenced by a release once published. Then, it would once again be safe to reference an action by tag, at least for full-length tags like
v8.1.0. Short tags, likev8are mutable by definition, so it doesn't help here.Would it be possible to enable immutable releases for this repo?