From 2a939dd49bdb1e0d1c38d33980bcb39186f8e076 Mon Sep 17 00:00:00 2001 From: Sviatoslav Sydorenko Date: Thu, 13 Jul 2023 16:44:47 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=8E=A8=F0=9F=93=9D=20Link=20SHA=20pinning?= =?UTF-8?q?=20encouragement=20@=20README?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This article [[1]] describes security flows of using branches and tags as an end-user. The commit is intended to educate them but not force doing so if they don't want to. [1]: https://julienrenaux.fr/2019/12/20/github-actions-security-risk/ --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 302717e..59a5921 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ comments in the corresponding [per-release announcement discussions]. The `master` branch version has been sunset. Please, change the GitHub Action version you use from `master` to `release/v1` or use an exact -tag, or a full Git commit SHA. +tag, or opt-in to [use a full Git commit SHA] and Dependabot. ## Usage @@ -250,6 +250,9 @@ https://results.pre-commit.ci/latest/github/pypa/gh-action-pypi-publish/unstable [pre-commit.ci status badge]: https://results.pre-commit.ci/badge/github/pypa/gh-action-pypi-publish/unstable/v1.svg +[use a full Git commit SHA]: +https://julienrenaux.fr/2019/12/20/github-actions-security-risk/ + [per-release announcement discussions]: https://github.com/pypa/gh-action-pypi-publish/discussions/categories/announcements