actions/pypi-publish
1
0
Fork 0
mirror of https://github.com/pypa/gh-action-pypi-publish.git synced 2024-09-12 23:57:15 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

🎨📝 Link SHA pinning encouragement @ README

Browse source 
This article [[1]] describes security flows of using branches and
tags as an end-user. The commit is intended to educate them but not
force doing so if they don't want to.

[1]: https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
This commit is contained in:
Sviatoslav Sydorenko 2023-07-13 16:44:47 +02:00
parent f8c70e705f
commit 2a939dd49b
No known key found for this signature in database
GPG key ID: 9345E8FEA89CA455
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
README.md
View file

@ -18,7 +18,7 @@ comments in the corresponding [per-release announcement discussions].
The `master` branch version has been sunset. Please, change the GitHub
Action version you use from `master` to `release/v1` or use an exact
tag, or a full Git commit SHA.
tag, or opt-in to [use a full Git commit SHA] and Dependabot.
## Usage
@ -250,6 +250,9 @@ https://results.pre-commit.ci/latest/github/pypa/gh-action-pypi-publish/unstable
[pre-commit.ci status badge]:
https://results.pre-commit.ci/badge/github/pypa/gh-action-pypi-publish/unstable/v1.svg
[use a full Git commit SHA]:
https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
[per-release announcement discussions]:
https://github.com/pypa/gh-action-pypi-publish/discussions/categories/announcements