Skip to content

v1.4.1

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 22 Jan 17:18
v1.4.1
405b128
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

🩹 [Patch]: Pin GitHub-Script action to specific version (#9)

The GitHub-Script action dependency is now pinned to a specific commit SHA (v1.7.8) for improved security and reproducibility. This ensures consistent builds and protects against potential supply chain attacks where action tags could be moved to point to malicious code.

Pin GitHub-Script action to specific SHA

Updated the action reference in action.yml from the previous SHA to the latest version:

Before After
PSModule/GitHub-Script@8b9d2739d6896975c0e5448d2021ae2b94b6766a (v1.7.6) PSModule/GitHub-Script@2010983167dc7a41bcd84cb88e698ec18eccb7ca (v1.7.8)

Why pin to SHA?

Pinning actions to specific commit SHAs is a security best practice that:

  • Prevents tag mutation attacks - Tags can be moved, but SHAs are immutable
  • Ensures reproducible builds - The exact same code runs every time
  • Provides audit trail - Changes to dependencies are explicit and reviewable
Assets 2
Loading