Why You Should Not Use The Version Tag Or Branch Name When Using GitHub Actions
Malicious code can be inserted into any GitHub action, even those which are tagged.
With these words, Julien Renaux's article titled "Use GitHub actions at your own risk" begins.
Before reading this article from late 2019, I gave little thought to t...
blog.natterstefan.me4 min read
Corey Seliger
The security concern makes sense. However, why not fork the action and have complete control, refreshing from upstream at your leisure and comfort? What if the author decided to no longer host that code?