The README examples use:
uses: millionco/react-doctor@main
Since main is a mutable branch, workflows will execute whatever code that branch points to at runtime. When granting permissions such as pull-requests: write, this adds risk for supply-chain attack if the repo/branch is compromised.
Similar incident happened in actions like Trivy GHSA-69fq-xp46-6x23
Maybe adding a note optionally adding commit SHA pinning for hardened CI?
The README examples use:
Since
mainis a mutable branch, workflows will execute whatever code that branch points to at runtime. When granting permissions such aspull-requests: write, this adds risk for supply-chain attack if the repo/branch is compromised.Similar incident happened in actions like Trivy GHSA-69fq-xp46-6x23
Maybe adding a note optionally adding commit SHA pinning for hardened CI?