mirror of
https://git.tukaani.org/xz.git
synced 2025-02-20 07:28:20 +00:00
f28cc9bd48
Referencing actions by commit SHA in GitHub workflows guarantees you are using an immutable version. Actions referenced by tags and branches are more vulnerable to attacks, such as the tag being moved to a malicious commit or a malicious commit being pushed to the branch. It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/actions/checkout/releases/tag/v4.1.08ade135a41https://github.com/actions/upload-artifact/releases/tag/v3.1.3a8a3f3ad30Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>