Skip to content

Commit

Permalink
Merge pull request #353 from eclipse-tractusx/dependabot/github_actio…
Browse files Browse the repository at this point in the history 
…ns/dot-github/workflows/tj-actions/changed-files-41

chore(deps): bump tj-actions/changed-files from 40 to 41 in /.github/workflows
  • Loading branch information
@ds-jhartmann
ds-jhartmann authored Jan 8, 2024
2 parents 4e4db83 + 30bda62 commit bec8b7b
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion .github/workflows/changelog-changes.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:

- name: Check if CHANGELOG file was changed
id: changelog-changed
uses: tj-actions/changed-files@v40
uses: tj-actions/changed-files@v41

Check warning on line 26 in .github/workflows/changelog-changes.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Check warning on line 26 in .github/workflows/changelog-changes.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Check warning on line 26 in .github/workflows/changelog-changes.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
with:
files: |
CHANGELOG.md
Expand Down

0 comments on commit bec8b7b

Please sign in to comment.