mirror of
https://github.com/checkpoint-restore/criu.git
synced 2026-07-17 16:47:50 +00:00
Third-party GitHub Actions referenced by tags can change without a CRIU patch if the upstream action repository moves or compromises a tag. That is especially sensitive for actions that receive CI credentials such as CODECOV_TOKEN or GITHUB_TOKEN. Pin the remaining non-GitHub actions used by regular workflows to the full commit IDs currently behind their version tags. Keep the version tag in a comment next to each SHA so reviewers can see the intended release and future updates remain explicit. Leave GitHub-owned actions on version tags to match the existing linux-next workflow policy, which already pins non-GitHub actions while using tags for actions/* refs. This keeps the hardening focused on third-party supply chain risk without forcing the repository-wide SHA policy that would also require pinning GitHub-authored actions. Fixes: #3068 Assisted-by: Codex:gpt-5 Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org> |
||
|---|---|---|
| .. | ||
| action.yml | ||