Context
In the review of #34, the reviewer flagged that several third-party actions in the new PR-preview family use mutable major-version tags rather than commit-SHA pins:
rossjrw/pr-preview-action@v1 (preview-deploy.yml)marocchino/sticky-pull-request-comment@v3 (preview-deploy.yml)browser-actions/setup-chrome@v1 (preview/action.yml)
The deploy job runs in the base-repo context with contents: write + pull-requests: write, so a tag-overwrite or upstream compromise there has real impact. The concern is legitimate.
Why this is deferred from #34 rather than fixed in-place
This is not an issue specific to the preview family — it's a repo-wide convention question. Every third-party action across d-morrison/gha currently uses a major-version tag, with zero SHA pins anywhere:
quarto-dev/quarto-actions/setup@v2, quarto-dev/quarto-actions/render@v2lycheeverse/lychee-action@v2UCD-SERG/changelog-check-action@v2anthropics/claude-code-action@v1actions/checkout@v5, actions/cache@v4, actions/*-artifact@v4, actions/deploy-pages@v4, …
Pinning only the three actions flagged in #34 would:
- Break the repo-wide convention — singling out 3 of ~10 third-party actions is arbitrary and makes the preview files read differently from every other workflow (cuts against the "code should read like the surrounding code" priority).
- Silently freeze them with no auto-bump — there is no
dependabot.yml in this repo, so SHA-pinned actions would never receive upstream security/bug fixes. In an unmonitored repo, a frozen SHA can be worse for security than a maintained major tag.
Decision needed
Pick one policy and apply it uniformly:
- (A) Adopt SHA pinning repo-wide — pin all third-party actions to SHAs (version in a trailing comment) and add
.github/dependabot.yml with the github-actions ecosystem so the pins get auto-bumped. This is the GitHub-recommended hardening posture.
- (B) Keep major-version tags repo-wide — accept the (low, given the trusted upstreams) supply-chain risk in exchange for automatic patch uptake and consistency; optionally still add dependabot to surface major bumps.
Whichever is chosen, the preview family should match the rest of the repo.
Deferred from #34 review (finding: "Supply-chain risk: third-party actions on mutable major tags").
Context
In the review of #34, the reviewer flagged that several third-party actions in the new PR-preview family use mutable major-version tags rather than commit-SHA pins:
rossjrw/pr-preview-action@v1(preview-deploy.yml)marocchino/sticky-pull-request-comment@v3(preview-deploy.yml)browser-actions/setup-chrome@v1(preview/action.yml)The deploy job runs in the base-repo context with
contents: write+pull-requests: write, so a tag-overwrite or upstream compromise there has real impact. The concern is legitimate.Why this is deferred from #34 rather than fixed in-place
This is not an issue specific to the preview family — it's a repo-wide convention question. Every third-party action across
d-morrison/ghacurrently uses a major-version tag, with zero SHA pins anywhere:quarto-dev/quarto-actions/setup@v2,quarto-dev/quarto-actions/render@v2lycheeverse/lychee-action@v2UCD-SERG/changelog-check-action@v2anthropics/claude-code-action@v1actions/checkout@v5,actions/cache@v4,actions/*-artifact@v4,actions/deploy-pages@v4, …Pinning only the three actions flagged in #34 would:
dependabot.ymlin this repo, so SHA-pinned actions would never receive upstream security/bug fixes. In an unmonitored repo, a frozen SHA can be worse for security than a maintained major tag.Decision needed
Pick one policy and apply it uniformly:
.github/dependabot.ymlwith thegithub-actionsecosystem so the pins get auto-bumped. This is the GitHub-recommended hardening posture.Whichever is chosen, the preview family should match the rest of the repo.
Deferred from #34 review (finding: "Supply-chain risk: third-party actions on mutable major tags").