From 2a64171db2bb58029e2782e8393da8d6431b1512 Mon Sep 17 00:00:00 2001 From: Chris Normansell Date: Tue, 6 Feb 2024 15:41:32 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=93=8C=20Pinning=20the=20GitHub=20Actions?= =?UTF-8?q?=20to=20ensure=20best=20practices=20in=20security?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As part of the Bynder adoption of GitHub Actions they have reviewed our action usage and found a few actions we don't specify a specific version which could mean those actions could get comprised and we would pull in the comprised action straight away. --- .github/workflows/npm-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index fde7d128a..07c25e0e7 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -40,7 +40,7 @@ jobs: NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}} - name: Get new version id: new-version - uses: martinbeentjes/npm-get-version-action@main + uses: martinbeentjes/npm-get-version-action@v1.3.1 - uses: stefanzweifel/git-auto-commit-action@v4 with: commit_message: version ${{ steps.new-version.outputs.current-version}}