TL;DR
Specify commit SHA when setting workflow with Github Actions.
body
GitHub Actions on GitHub Marketplace is not security checked even official one, therefore developers who write workflow should make sure action safe and describe its commit version SHA from a security perspective.
Otherwise tokens you provided malicious action might be used for mining virtual currency. If you have described actions on yaml according to official description, check that is not specified with tag or branch.
Top comments (0)