Skip to content

feature to require exact version number on a 3rd party action #524

New issue
New issue
Open
Open
feature to require exact version number on a 3rd party action#524
@perryd01

Description

@perryd01
perryd01
opened on Mar 20, 2025

feature request to require exact version number on a 3rd party action

Why

Example

an opt in feature where this would be invalid:

      - run: echo "Checking commit '${{ github.event.head_commit.message }}'"
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node_version: 18.x

and this would be valid

      - run: echo "Checking commit '${{ github.event.head_commit.message }}'"
      - uses: actions/checkout@v4.2.2
      - uses: actions/setup-node@v4.3.0
        with:
          node_version: 18.x

Activity

david-mcdowell-ilw

david-mcdowell-ilw commented on Jun 3, 2025

@david-mcdowell-ilw
david-mcdowell-ilw
on Jun 3, 2025

This would be a good addition, but it's important to note that the real fix for that related issue is to point to a commit SHA, not just another git tag that can be redirected with malicious code.

      - run: echo "Checking commit '${{ github.event.head_commit.message }}'"
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
        with:
          node_version: 18.x
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @david-mcdowell-ilw@perryd01

        Issue actions
          feature to require exact version number on a 3rd party action · Issue #524 · rhysd/actionlint