Yep. No way around that yet, except for checking all workflows in your org and alerting on the use of a vulnerable version, or removal of the entire action for internal use. Alternatively you could remove the tag (=version) from the forked repo, but that would defy the purpose (and users can still use a commit SHA with the vulnerable version).
For these reasons, I suggested GitHub to add a “disallow” list, next to the allow list of actions that cannot be used in your org/repo.
One way that may work is to explicitly add tags to the fork with the versions that are approved. Eg @v2-approved, and then limit the allow list to each forked action repo with those specific tags (@v2-approved or @approved*)
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Yep. No way around that yet, except for checking all workflows in your org and alerting on the use of a vulnerable version, or removal of the entire action for internal use. Alternatively you could remove the tag (=version) from the forked repo, but that would defy the purpose (and users can still use a commit SHA with the vulnerable version).
For these reasons, I suggested GitHub to add a “disallow” list, next to the allow list of actions that cannot be used in your org/repo.
One way that may work is to explicitly add tags to the fork with the versions that are approved. Eg @v2-approved, and then limit the allow list to each forked action repo with those specific tags (@v2-approved or @approved*)