Title: Change third party github actions to target specific commits rather than tags · Issue #581 · lincc-frameworks/python-project-template · GitHub
Open Graph Title: Change third party github actions to target specific commits rather than tags · Issue #581 · lincc-frameworks/python-project-template
X Title: Change third party github actions to target specific commits rather than tags · Issue #581 · lincc-frameworks/python-project-template
Description: We should pin our third party github actions to a specific commit, rather than a tag as we currently do. This is a cybersecurity measure recommended by GitHub: The individual jobs in a workflow can interact with (and compromise) other jo...
Open Graph Description: We should pin our third party github actions to a specific commit, rather than a tag as we currently do. This is a cybersecurity measure recommended by GitHub: The individual jobs in a workflow can...
X Description: We should pin our third party github actions to a specific commit, rather than a tag as we currently do. This is a cybersecurity measure recommended by GitHub: The individual jobs in a workflow can...
Opengraph URL: https://github.com/lincc-frameworks/python-project-template/issues/581
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Change third party github actions to target specific commits rather than tags","articleBody":"We should pin our third party github actions to a specific commit, rather than a tag as we currently do.\n\nThis is a cybersecurity measure [recommended by GitHub](https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions):\n\u003e The individual jobs in a workflow can interact with (and compromise) other jobs. For example, a job querying the environment variables used by a later job, writing files to a shared directory that a later job processes, or even more directly by interacting with the Docker socket and inspecting other running containers and executing commands in them.\n\n\u003e This means that a compromise of a single action within a workflow can be very significant, as that compromised action would have access to all secrets configured on your repository, and may be able to use the GITHUB_TOKEN to write to the repository. Consequently, there is significant risk in sourcing actions from third-party repositories on GitHub. For information on some of the steps an attacker could take, see [Secure use reference](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#potential-impact-of-a-compromised-runner).\n\nIn our workflows, we have some third party actions used like such:\n```\n - name: Install uv\n uses: astral-sh/setup-uv@v7\n```","author":{"url":"https://github.com/olivialynn","@type":"Person","name":"olivialynn"},"datePublished":"2026-04-16T14:44:35.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/581/python-project-template/issues/581"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:7d36c50c-abda-d0e7-d69c-40e6e9ad61b6 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | 8D12:142B17:836255:B56337:6A4C951D |
| html-safe-nonce | 55fdeac5060cdabc91104a0bc9ec4509128119ee392572dc1bec0a711e99d85d |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4RDEyOjE0MkIxNzo4MzYyNTU6QjU2MzM3OjZBNEM5NTFEIiwidmlzaXRvcl9pZCI6IjMwMDExMTg1MjczOTYyODc3NzMiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 396aad3749c4ab18526f97833283f640226537494187d32313ea2f6116976b20 |
| hovercard-subject-tag | issue:4276496053 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/lincc-frameworks/python-project-template/581/issue_layout |
| twitter:image | https://opengraph.githubassets.com/3bf9e02030670bede0ec11dee054c380596f839c28925d0e216d78ae9afcea71/lincc-frameworks/python-project-template/issues/581 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/3bf9e02030670bede0ec11dee054c380596f839c28925d0e216d78ae9afcea71/lincc-frameworks/python-project-template/issues/581 |
| og:image:alt | We should pin our third party github actions to a specific commit, rather than a tag as we currently do. This is a cybersecurity measure recommended by GitHub: The individual jobs in a workflow can... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | olivialynn |
| hostname | github.com |
| expected-hostname | github.com |
| None | 3d11bb817438277de2a940854450e83a7d32b6aeb5014e9e6b00a6423900251c |
| turbo-cache-control | no-preview |
| go-import | github.com/lincc-frameworks/python-project-template git https://github.com/lincc-frameworks/python-project-template.git |
| octolytics-dimension-user_id | 108297791 |
| octolytics-dimension-user_login | lincc-frameworks |
| octolytics-dimension-repository_id | 594177527 |
| octolytics-dimension-repository_nwo | lincc-frameworks/python-project-template |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 594177527 |
| octolytics-dimension-repository_network_root_nwo | lincc-frameworks/python-project-template |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 7a2dede45637df6b92ddcfe2a557e67d4b5854ae |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width