To minimize the supply chain risks from GitHub actions we should pin all actions using a commit SHA, with the real version as a comment. https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions
To minimize the supply chain risks from GitHub actions we should pin all actions using a commit SHA, with the real version as a comment.
https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions