Problem
Your GitHub Actions are not using immutable version pins, which increases the chance of supply chain attacks. Using the SHA digests is more secure and pretty easy to do. 😄
Proposed idea
runs:
using: "composite"
steps:
- name: Setup Node
uses: actions/setup-node@v6
Replace the action's version v6 with the current SHA and let Renovate/dependabot keep it updated.
Why it fits this project
It hardens the project, which helps devs detect vulns, against hostile takeovers and supply chain attacks of your users.
Problem
Your GitHub Actions are not using immutable version pins, which increases the chance of supply chain attacks. Using the SHA digests is more secure and pretty easy to do. 😄
Proposed idea
Replace the action's version
v6with the current SHA and let Renovate/dependabot keep it updated.Why it fits this project
It hardens the project, which helps devs detect vulns, against hostile takeovers and supply chain attacks of your users.