-
Notifications
You must be signed in to change notification settings - Fork 6
42 lines (34 loc) · 1.37 KB
/
unpinned-tools.yml
File metadata and controls
42 lines (34 loc) · 1.37 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# unpinned-tools.yml
#
# what:
# underlying tool uses that are left unpinned, even when the action itself
# is pinned.
#
# how:
# some actions fetch a tool or binary at runtime based on a `with.version`
# input. if that input is omitted, set to `latest`, or set dynamically via an
# expression, then the exact tool version may not be fixed.
# this workflow demonstrates the currently modeled `unpinned-tools` cases.
name: unpinned-tools
on: [push]
permissions: {}
jobs:
unpinned-tools:
runs-on: ubuntu-latest
steps:
# NOT OK: known action with no `with.version`
- uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
# NOT OK: known action with `version: latest`
- uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
with:
version: latest
# NOT OK: known action with dynamic `version`
- uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
with:
version: ${{ inputs.trivy-version }}
# NOT OK: second known action with no `with.version`
- uses: 1password/load-secrets-action@92467eb28f72e8255933372f1e0707c567ce2259 # v4.0.0
# NOT OK: second known action with `version: latest`
- uses: 1password/load-secrets-action@92467eb28f72e8255933372f1e0707c567ce2259 # v4.0.0
with:
version: latest