While this is good advice, pinned GitHub Actions are not immutable because they share the same syntax as a label.
This means that someone can delete the image tied to an SHA and replace it with a label (that matches the SHA) to point it to a different image.
GitHub could fix this by migrating to a new syntax, but I suspect Docker is the underline issue here. https://s.ovalerio.net/@dethos/112552632476543887
Jeff Triplett /
npub1ns…8ahke
2024-06-03 13:14:27
Author Public Key
npub1nsp3hg75ge84dn5fttlkpxpxnj0dfl697239dtyz4js3mdw2jllqf8ahkePublished at
2024-06-03 13:14:27Event JSON
{
"id": "a87579eaa3a251977131cc8ced5d6992ee71d3945167e61d78ea1f4153e0654e",
"pubkey": "9c031ba3d4464f56ce895aff6098269c9ed4ff45f2a256ac82aca11db5ca97fe",
"created_at": 1717420467,
"kind": 1,
"tags": [
[
"proxy",
"https://mastodon.social/@webology/112552867787911461",
"web"
],
[
"proxy",
"https://mastodon.social/users/webology/statuses/112552867787911461",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://mastodon.social/users/webology/statuses/112552867787911461",
"pink.momostr"
]
],
"content": "While this is good advice, pinned GitHub Actions are not immutable because they share the same syntax as a label. \n\nThis means that someone can delete the image tied to an SHA and replace it with a label (that matches the SHA) to point it to a different image. \n\nGitHub could fix this by migrating to a new syntax, but I suspect Docker is the underline issue here. https://s.ovalerio.net/@dethos/112552632476543887",
"sig": "9e5a89aa0e6b58094041e74017c4868bf80e202d55bc3a022e7869310b8c29366a094b4e6309c8e4b9e51bec6c7be1b1ada7698f12a6ecdf36cea76a1c060ebd"
}