[PR] Pin github actions to a commit hash [daffodil]

["stevedlawrence (via GitHub)" <gi...@apache.org>]

stevedlawrence opened a new pull request, #1174:
URL: https://github.com/apache/daffodil/pull/1174

   Pinning to a tag can lead to breaking builds or malicious actors compromising our actions if they are able to rename or delete a tag. Pinning to a commit hash avoids these issues. There is no loss of functionality--dependabot is able to update commit hashs and comments containing the associated tag.
   
   DAFFODIL-2881


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Pin github actions to a commit hash [daffodil]

["stevedlawrence (via GitHub)" <gi...@apache.org>]

stevedlawrence commented on PR #1174:
URL: https://github.com/apache/daffodil/pull/1174#issuecomment-1971709712

   This is just replacing tags with equivalent commit hash so I don't think an additional +1 is necessary. I'll merge.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] Pin github actions to a commit hash [daffodil]

["stevedlawrence (via GitHub)" <gi...@apache.org>]

stevedlawrence merged PR #1174:
URL: https://github.com/apache/daffodil/pull/1174


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org