Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
By default, the rule allows the following actions without pinning: “actions/checkout”, “datadog/datadog-sca-github-action”, “datadog/datadog-static-analyzer-github-action”
Arguments
Use the rule argument allow to allow a list of actions without pinning. The list is comma-separated.