Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows
In today’s post, we look at action pinning, one of the profound mitigations against supply chain attacks in the GitHub Actions ecosystem. It turns out, though, that action pinning comes with a downside — a pitfall we call "unpinnable actions" that allows attackers to execute code in GitHub Actions workflows.
As we discussed in the previous blog post, Third-Party GitHub Actions: Effects of an Opt-Out Permission Model, the permissive nature of GitHub Actions...