Context
We currently pin to a fork (lhoupert/bandit-action) instead of the upstream
PyCQA/bandit-action because the upstream action pins its internal dependencies
(actions/setup-python, actions/checkout, github/codeql-action/upload-sarif)
to mutable version tags rather than full-length commit SHAs.
This breaks workflows in environments that enforce SHA pinning for all transitive
action dependencies — a policy enforced by StepSecurity and OpenSSF Scorecard.
Upstream issue: PyCQA/bandit-action#28
Upstream fix PR: PyCQA/bandit-action#29 (awaiting review)
Action required
Once PR #29 is merged and a new release of PyCQA/bandit-action is cut, update
action.yml to replace:
uses: lhoupert/bandit-action@<sha>
with the upstream pinned SHA:
uses: PyCQA/bandit-action@<new-sha> # vX.Y.Z
Then the fork can be retired.
Context
We currently pin to a fork (
lhoupert/bandit-action) instead of the upstreamPyCQA/bandit-actionbecause the upstream action pins its internal dependencies(
actions/setup-python,actions/checkout,github/codeql-action/upload-sarif)to mutable version tags rather than full-length commit SHAs.
This breaks workflows in environments that enforce SHA pinning for all transitive
action dependencies — a policy enforced by StepSecurity and OpenSSF Scorecard.
Upstream issue: PyCQA/bandit-action#28
Upstream fix PR: PyCQA/bandit-action#29 (awaiting review)
Action required
Once PR #29 is merged and a new release of
PyCQA/bandit-actionis cut, updateaction.ymlto replace: