Update GitHub Actions checkout and status action versions#1401
Conversation
PR Summary
|
|
Checks from Push Test PR #1404 |
|
Checks from Push as App Test PR #1403 |
|
Checks from Request Change Test PR #1402 |
There was a problem hiding this comment.
Pull request overview
This PR updates the GitHub Actions version references in the README documentation to align with the versions currently used in the repository's actual workflow files. The check-git-status-action repository maintains example workflows in its README, and this update ensures the documentation reflects current best practices.
Changes:
- Updated
actions/checkoutfrom v3 to v6 in the README example - Updated
CatChen/check-git-status-actionfrom v1 to v2 in the README example
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| touch some-build-artefact-newly-generated-in-the-build-process | ||
|
|
||
| - uses: CatChen/check-git-status-action@v1 | ||
| - uses: CatChen/check-git-status-action@v2 |
There was a problem hiding this comment.
This workflow example uses the third-party action CatChen/check-git-status-action@v2 pinned only to a mutable tag, which exposes you to supply chain risk if that tag is ever retagged with malicious code. Because this action runs in your CI with the default GITHUB_TOKEN and is capable of modifying repository state, a compromised release could exfiltrate secrets or alter code and build artifacts. To reduce this risk, pin the action to a specific commit SHA and limit the workflow/token permissions to the minimum required for this step.
No description provided.