Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Distinguishing immutable from mutable actions as a consumer #216

Open
spencerschrock opened this issue Nov 14, 2024 · 0 comments
Open

Distinguishing immutable from mutable actions as a consumer #216

spencerschrock opened this issue Nov 14, 2024 · 0 comments

Comments

@spencerschrock
Copy link

The README shows the following example for consuming an immutable action:

Consumers of your action will then be able to specify that version to consume your action from the package, e.g.

  • - uses: your-name/your-action@v1.2.3
  • - uses: your-name/your-action@v1

This is indistinguishable from the existing syntax for mutable actions, which I assume is for backwards compatibility reasons.

Is there anyway for a consumer or analysis tool to know what security guarantees to expect from an action (e.g. if pinning to a SHA is necessary for immutability)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant