Commit ddb61ae
committed
Action: pin used action runner
In light of recent security breaches and supply attack via GH Actions, following the best practice of pinning any underlying action runner used seems prudent (even though this action doesn't use secrets).
The XMLLint Validate action only uses one other action, and a low risk one at that.
This commit pins that action to the 1.2.0 release of the action runner.
Refs:
* https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
* https://www.bleepingcomputer.com/news/security/supply-chain-attack-on-popular-github-action-exposes-ci-cd-secrets/
* https://www.bleepingcomputer.com/news/security/github-action-hack-likely-led-to-another-in-cascading-supply-chain-attack/
* reviewdog/reviewdog#2079
* https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-300661 parent ef1c33c commit ddb61ae
1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
159 | 159 | | |
160 | 160 | | |
161 | 161 | | |
162 | | - | |
| 162 | + | |
163 | 163 | | |
164 | 164 | | |
165 | 165 | | |
| |||
0 commit comments