Commit fcf7c46
workflows: pin msys2/setup-msys2 action to a specific commit hash
Replace the mutable tag reference 'msys2/setup-msys2@v2' with a pinned
commit SHA in zephyr.yml.
Why this is recommended:
Tags in GitHub Actions are mutable - a repository owner can silently
move a tag (e.g. 'v2') to point to a different, potentially malicious
commit at any time without the consuming workflow receiving any
notification. Pinning to a full commit SHA ensures the exact code that
was reviewed is what runs in CI, making the reference immutable.
Threats prevented:
- Supply chain attacks: a compromised or malicious actor with write
access to the msys2/setup-msys2 repository cannot push new code under
the existing 'v2' tag and have it automatically executed in our CI
without an explicit code review and hash update on our side.
- Dependency confusion: prevents accidental or forced resolution to an
unintended version of the action.
The comment '# v2' is retained to make it clear which upstream release
the hash corresponds to, aiding future maintenance when a deliberate
update is needed.
Signed-off-by: Tomasz Leman <tomasz.m.leman@intel.com>1 parent 8d6a3f6 commit fcf7c46
1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
398 | 398 | | |
399 | 399 | | |
400 | 400 | | |
401 | | - | |
| 401 | + | |
402 | 402 | | |
403 | 403 | | |
404 | 404 | | |
| |||
0 commit comments