Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Because reading the code is useless if you can't pin the version, and the article explains well it's hard to do

> However, only hash pinning ensures the same code runs every time. It is important to consider transitive risk: even if you hash pin an Action, if it relies on another Action with weaker pinning, you're still exposed.



Depending on your circumstances (and if the license of the action allows it) it's "easy" to fork the action and use your own fork. Instant "pinning".


But how does that solve the issue with the forked action not using pinned versions itself.

You need to recursively fork and modify every version of the GHA and do that to its sub-actions.

You'd need something like a lockgile mechanism to prevent this.


Yes, that is completely true -- transitive dependencies are a problem. What I suggested only works in the simplest cases and isn't a great solution, more of a bandaid.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: