action's ref should be full length commit SHA
❌
actions/checkout@v3
⭕
actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload
Some actions and reusable workflows don't support pinning version. You can exclude those actions and reusable workflows.
ghalint.yaml
excludes:
# slsa-framework/slsa-github-generator doesn't support pinning version
# > Invalid ref: 68bad40844440577b33778c9f29077a3388838e9. Expected ref of the form refs/tags/vX.Y.Z
# https://github.com/slsa-framework/slsa-github-generator/issues/722
- policy_name: action_ref_should_be_full_length_commit_sha
action_name: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml#650 As of v1.1.0, action_name supports a glob pattern.
excludes:
- policy_name: action_ref_should_be_full_length_commit_sha
action_name: suzuki-shunsuke/tfaction/* # glob patternpolicy_name and action_name are mandatory.
https://github.com/suzuki-shunsuke/pinact
pinact is useful to convert tags to full length commit SHA.