Build/Test Tools: Pin the welcome-action to a specific commit SHA.

Some GitHub Action scripts require additional permissions to perform the desired operations. This permission is usually given by passing a personal access token (PAT) to the action as an input. Because PATs grant access to sensitive information about the repository and actions with PATs become trusted actors, 3rd party actions should not be installed by specifying a major or minor version. Instead, specifying a full length commit SHA will use the 3rd party action as an immutable release, ensuring the workflows within the repository are not affected by upstream security problems should they occur. Props johnbillion. See #52625. git-svn-id: https://develop.svn.wordpress.org/trunk@50474 602fd350-edb4-49c9-b593-d223f7449a82
2025-01-17 12:58:25 +01:00 · 2021-03-02 16:09:16 +00:00 · 2021-03-02 16:09:16 +00:00 · bb046b0700
commit bb046b0700
parent 1ca0e68fc1
1 changed files with 1 additions and 1 deletions
--- a/.github/workflows/welcome-new-contributors.yml
+++ b/.github/workflows/welcome-new-contributors.yml
@ -11,7 +11,7 @@ jobs:
    if: ${{ github.repository == 'WordPress/wordpress-develop' }}

    steps:
-      - uses: bubkoo/welcome-action@v1
+      - uses: bubkoo/welcome-action@8dbbac2540d155744c90e4e37da6b05ffc9c5e2c
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          FIRST_PR_COMMENT: >