mirror of
https://github.com/pypa/gh-action-pypi-publish.git
synced 2024-11-22 08:31:08 -05:00
🎨📝 Link SHA pinning encouragement @ README
This article [[1]] describes security flows of using branches and tags as an end-user. The commit is intended to educate them but not force doing so if they don't want to. [1]: https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
This commit is contained in:
parent
f8c70e705f
commit
2a939dd49b
1 changed files with 4 additions and 1 deletions
|
@ -18,7 +18,7 @@ comments in the corresponding [per-release announcement discussions].
|
||||||
|
|
||||||
The `master` branch version has been sunset. Please, change the GitHub
|
The `master` branch version has been sunset. Please, change the GitHub
|
||||||
Action version you use from `master` to `release/v1` or use an exact
|
Action version you use from `master` to `release/v1` or use an exact
|
||||||
tag, or a full Git commit SHA.
|
tag, or opt-in to [use a full Git commit SHA] and Dependabot.
|
||||||
|
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
@ -250,6 +250,9 @@ https://results.pre-commit.ci/latest/github/pypa/gh-action-pypi-publish/unstable
|
||||||
[pre-commit.ci status badge]:
|
[pre-commit.ci status badge]:
|
||||||
https://results.pre-commit.ci/badge/github/pypa/gh-action-pypi-publish/unstable/v1.svg
|
https://results.pre-commit.ci/badge/github/pypa/gh-action-pypi-publish/unstable/v1.svg
|
||||||
|
|
||||||
|
[use a full Git commit SHA]:
|
||||||
|
https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
|
||||||
|
|
||||||
[per-release announcement discussions]:
|
[per-release announcement discussions]:
|
||||||
https://github.com/pypa/gh-action-pypi-publish/discussions/categories/announcements
|
https://github.com/pypa/gh-action-pypi-publish/discussions/categories/announcements
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue