Title:
Feature Request: Enable Immutable Releases and pin Docker digest for supply chain security
Description:
This action is heavily relied upon across the GitHub ecosystem. To protect consumers against supply chain attacks, I'd like to propose making the action's versions truly immutable.
Right now, Git release tags are mutable, and the action.yaml points to a mutable Docker tag. If the repository or container registry were ever compromised, a malicious actor could alter the code running in users' CI/CD pipelines under an existing version string.
Proposed Changes:
- Enable GitHub’s native Immutable Releases in this repository's settings to lock down the Git tags. (only a repo admin/owner can do this)
- Update
action.yaml to point to the Docker image's SHA-256 cryptographic digest instead of just the :1.12.0 tag.
This creates a bulletproof, zero-trust workflow for your enterprise users. Let me know if you would accept a PR for the action.yaml updates!
Title:
Feature Request: Enable Immutable Releases and pin Docker digest for supply chain security
Description:
This action is heavily relied upon across the GitHub ecosystem. To protect consumers against supply chain attacks, I'd like to propose making the action's versions truly immutable.
Right now, Git release tags are mutable, and the
action.yamlpoints to a mutable Docker tag. If the repository or container registry were ever compromised, a malicious actor could alter the code running in users' CI/CD pipelines under an existing version string.Proposed Changes:
action.yamlto point to the Docker image's SHA-256 cryptographic digest instead of just the:1.12.0tag.This creates a bulletproof, zero-trust workflow for your enterprise users. Let me know if you would accept a PR for the
action.yamlupdates!