GitHub Actions workflows can leverage actions and reusable workflows created by others. These external actions can be used to perform various tasks, such as checking out code, building applications, and deploying artifacts. If your workflow uses a third-party action or a workflow without referencing to a specific commit hash, you are at risk of pulling in code that you have not reviewed.
There is a risk if you answered no to any of those questions.
It is recommended to use the complete commit hash to pin the version when using third-party actions and workflows. This is the only way to ensure that the code you are pulling into your action is the one you have reviewed.
name: Example
on:
pull_request:
jobs:
example:
runs-on: ubuntu-latest
steps:
- uses: docs/example-action@main # Sensitive
Use the full commit hash as a reference to pin the version.
name: Example
on:
pull_request:
jobs:
example:
runs-on: ubuntu-latest
steps:
- uses: docs/example-action@b16d2601a6b948e2fb26f3772276581f31daa7cd