vy commented on PR #457: URL: https://github.com/apache/logging-parent/pull/457#issuecomment-4258716924
I disagree with this view for the following reasons: 1. You treat GitHub as a single monolithic, and ignore partial compromises and operational mistakes. That’s a very coarse threat model. 2. Even [GitHub itself advises pinning on commit IDs](https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions) 3. Tags are mutable, and hence can be moved (force-updated). And this isn’t theoretical, it's happened: `actions/checkout` has changed `v4.0.0` after release — see actions/checkout#1573. 4. Neither _"High churn, low signal."_ argument is valid, since we [will] get grouped updates _biweekly_ — see #455. I am not gonna stand in your way if you want to commit this change, I leave it up to you. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
