[openstreetmap/openstreetmap-website] Lock GitHub Actions dependencies to SHAs for security and predictability (PR #6332)

Paul Norman notifications at github.com
Tue Aug 19 08:35:31 UTC 2025


pnorman left a comment (openstreetmap/openstreetmap-website#6332)

But we don't release anything through GH actions, do we? A malicious party could break our CI but they can do that by taking down their actions.

I'm not sure what we're trying to protect against. I know supply chain attacks are real, but what's the impact beyond CI?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/6332#issuecomment-3199784983
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/pull/6332/c3199784983 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20250819/fef35d5d/attachment.htm>


More information about the rails-dev mailing list