Description
In action.yml, the following uses: references are pinned by tag rather than by full-length commit SHA:
- actions/cache@v4 (line 68)
- actions/cache/restore@v4 (line 126)
- actions/cache/save@v4 (line 224)
- actions/upload-artifact@v4 (lines 215, 232)
Suggested solution
Please update each to a full 40-character commit SHA, with the version as a trailing comment, e.g.:
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
I'm happy to raise a PR 😄
Additional context
GitHub's own guidance recommends pinning third-party actions to SHAs.
Consumers who correctly pin callstackincubator/react-native-harness@<sha> still get blocked because the nested references in this repo's action.yml use tags. This makes react-native-harness unusable in security-hardened environments.
Description
In
action.yml, the following uses: references are pinned by tag rather than by full-length commit SHA:Suggested solution
Please update each to a full 40-character commit SHA, with the version as a trailing comment, e.g.:
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2I'm happy to raise a PR 😄
Additional context
GitHub's own guidance recommends pinning third-party actions to SHAs.
Consumers who correctly pin
callstackincubator/react-native-harness@<sha>still get blocked because the nested references in this repo'saction.ymluse tags. This makesreact-native-harnessunusable in security-hardened environments.