This repository hosts several central reusable workflows consumed across other repositories. Currently, these workflows reference third-party GitHub Actions via mutable semantic tags (e.g., @v9.0.0, @v3). As per GitHub Actions Security Best Practices, relying on tags exposes our downstream consumers to potential supply-chain attacks if a tag is maliciously re-bound or a third-party repository is compromised. To enforce strict security baselines, we need to transition our reusable workflows to use immutable 40-character commit SHAs.
This repository hosts several central reusable workflows consumed across other repositories. Currently, these workflows reference third-party GitHub Actions via mutable semantic tags (e.g.,
@v9.0.0,@v3). As per GitHub Actions Security Best Practices, relying on tags exposes our downstream consumers to potential supply-chain attacks if a tag is maliciously re-bound or a third-party repository is compromised. To enforce strict security baselines, we need to transition our reusable workflows to use immutable 40-character commit SHAs.