Current Behavior
Currently, a few workflows use GitHub Actions which aren't internal, and are referenced by their tag.
Desired Behavior
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable
release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's
repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Benefits & Value
Increases security.
Additional information
No response
Current Behavior
Currently, a few workflows use GitHub Actions which aren't internal, and are referenced by their tag.
Desired Behavior
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable
release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's
repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Benefits & Value
Increases security.
Additional information
No response