ppkarwasz opened a new pull request, #457: URL: https://github.com/apache/logging-parent/pull/457
This change replaces SHA-pinned references for actions published by the `actions` and `github` organisations with major version tags (e.g. `actions/checkout@v6`). It also corrects an inconsistency in `codeql-analysis-reusable.yaml`, where `codeql-action/init` was pinned to a different version than `codeql-action/analyze` and `codeql-action/upload-sarif`. ### Why drop pinning for these organisations? Pinning to a SHA is the standard defence against supply-chain attacks on GitHub Actions. However, for actions owned by the `actions` and `github` organisations the trade-off looks different: - **Same trust boundary as the runner.** These organisations own the GitHub Actions infrastructure itself. If either organisation were compromised, the runners that execute workflows would likely be compromised too. Pinning a SHA does not protect against that threat. - **High churn, low signal.** Every patch release generates a Dependabot PR. Reviewing each one for supply-chain risk requires non-trivial effort, yet in practice every PR gets approved: the review adds no real security value. Third-party actions (e.g. `gradle/develocity-actions`, `ossf/scorecard-action`) remain SHA-pinned. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
