A tool that comments GitHub Actions that are pinned to commits SHAs whenever they are updated via Dependabot.
The Problem with Actions
GitHub Actions is a great tool for CI/CD utilizing GitHubs vast community to easily share Actions, which simplify many use cases and integrations vastly.
One major issue of Actions is versioning, which is based on normal git tags. These tags are not immutable, thus attackers could easily delete a tag, introduce malicous code, and add the same tag again - anybody using that tag is now running the malicous code.
Instead of pinning to tags it is encouraged to pin to commit SHAs instead. Dependabot can thankfully already update only using commit SHAs if you want that. The only issue is the lack of readability, which is entailed by the long randomized string that is a string. This tool is meant to make that easier by introducing and maintaining a simple comment for every pinned Action, that displays the version that corresponds to the given commit SHA.
- uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
See the GitHub project