
Show HN: Improve the security of your GitHub Actions in one command - mheap
https://dev.to/mheap/improve-your-github-actions-security-1im7
======
mheap
I recently read [https://julienrenaux.fr/2019/12/20/github-actions-
security-r...](https://julienrenaux.fr/2019/12/20/github-actions-security-
risk/) which reminds us that depending on external GitHub Actions is risky as
branch and tag refs are mutable

> Using GitHub actions with branch names or tags is unsafe. Use commit hash
> instead.

Instead of updating to use a SHA everywhere, I wrote a tool to do it for you,
making a note of the original version (e.g. @master).

This allows you to run the tool in the future and have the sha updated to the
most recent version whilst still pinning to a specific commit.

