Summary
The workflow templates under playbooks/templates/.github/workflows/ (which generate .github/workflows/ansible-check.yml and related files in downstream roles such as linux-system-roles/ssh#239) currently reference GitHub Actions using floating tags rather than immutable commit SHAs.
Examples flagged
uses: actions/checkout@v6
uses: Jakuje/check-ansible-action@main
Risk
Floating tags (e.g., @v6, @main) can be moved upstream at any time, meaning CI behavior can change — or be hijacked — without any change to this repository. Pinning to full commit SHAs provides a stable, auditable reference.
Suggested fix
Replace floating tag references with the corresponding full 40-character commit SHAs, for example:
uses: actions/checkout@<full-sha-for-v6>
uses: Jakuje/check-ansible-action@<full-sha-for-current-main>
Tools such as Dependabot or zizmor can help automate this.
References
Summary
The workflow templates under
playbooks/templates/.github/workflows/(which generate.github/workflows/ansible-check.ymland related files in downstream roles such as linux-system-roles/ssh#239) currently reference GitHub Actions using floating tags rather than immutable commit SHAs.Examples flagged
Risk
Floating tags (e.g.,
@v6,@main) can be moved upstream at any time, meaning CI behavior can change — or be hijacked — without any change to this repository. Pinning to full commit SHAs provides a stable, auditable reference.Suggested fix
Replace floating tag references with the corresponding full 40-character commit SHAs, for example:
Tools such as Dependabot or zizmor can help automate this.
References
unpinned-uses) in linux-system-roles/ssh#239 (comment)