Vouch request: fcanogab #1168
Closed
fcanogab
started this conversation in
Vouch Request
Vouch request: fcanogab
#1168
Replies: 2 comments
-
|
/vouch |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
@fcanogab has been vouched by @johntmyers. You can now submit pull requests to OpenShell. Welcome aboard. Please read CONTRIBUTING.md before submitting. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
What do you want to work on?
Enable Dependabot and configure it to update the GitHub Actions. Now they are unpinned or reference mutable version tags. Using Dependabot to keep GitHub Actions up to date is, in general, low friction and low risk.
I'll configure the updates with dependency cooldown to reduce the risk of a malicious actions compromising the repository.
Why this change?
Unpinned actions or references to mutable version tags are a software supply chain security risk because if a third party actionis compromised it might impact the whole project. In addition, configuring Dependabot reduces the toil.
One more reason this is recommended is because security scanners raise this risk so the project will receive feedback related to this regularly if not fixed.
Checklist
Beta Was this translation helpful? Give feedback.
All reactions