Summary
All GitHub Actions in .github/workflows/ci.yml are currently referenced by mutable version tags (e.g., @v1, @v4, @stable). These tags can be silently re-pointed to a different (potentially malicious) commit, creating a supply-chain attack surface. Pinning each action to a full commit SHA makes the referenced code immutable.
Actions to pin
At minimum, the following actions used in .github/workflows/ci.yml should be pinned to their current commit SHAs:
actions/checkoutactions/cacheactions/upload-artifactactions/download-artifactactions/setup-nodedtolnay/rust-toolchainpnpm/action-setupfoundry-rs/foundry-toolchainnoir-lang/noirupbrowser-actions/setup-chromedocker/setup-buildx-actiondocker/login-actiondocker/build-push-actiondorny/paths-filtercachix/install-nix-actionakhilmhdh/contributors-readme-action
References
/cc @0xjei
Summary
All GitHub Actions in
.github/workflows/ci.ymlare currently referenced by mutable version tags (e.g.,@v1,@v4,@stable). These tags can be silently re-pointed to a different (potentially malicious) commit, creating a supply-chain attack surface. Pinning each action to a full commit SHA makes the referenced code immutable.Actions to pin
At minimum, the following actions used in
.github/workflows/ci.ymlshould be pinned to their current commit SHAs:actions/checkoutactions/cacheactions/upload-artifactactions/download-artifactactions/setup-nodedtolnay/rust-toolchainpnpm/action-setupfoundry-rs/foundry-toolchainnoir-lang/noirupbrowser-actions/setup-chromedocker/setup-buildx-actiondocker/login-actiondocker/build-push-actiondorny/paths-filtercachix/install-nix-actionakhilmhdh/contributors-readme-actionReferences
/cc @0xjei