The accessibility-scanner workflow uses actions/github-script@v8 without pinning it to a specific commit SHA. This violates security best practices and causes the pipeline to fail when the Require actions to be pinned to a full-length commit SHA setting is enabled.
Steps to Reproduce
- Enable Require actions to be pinned to a full-length commit SHA in the repository settings.
- Run the
accessibility-scanner workflow.
- Observe the failure caused by the unpinned
actions/github-script action.
Expected Behavior
The workflow should run successfully with all actions pinned to full-length commit SHAs.
Actual Behavior
The workflow fails because actions/github-script@v8 is not pinned to a commit SHA.
|
uses: actions/github-script@v8 |
The
accessibility-scannerworkflow usesactions/github-script@v8without pinning it to a specific commit SHA. This violates security best practices and causes the pipeline to fail when the Require actions to be pinned to a full-length commit SHA setting is enabled.Steps to Reproduce
accessibility-scannerworkflow.actions/github-scriptaction.Expected Behavior
The workflow should run successfully with all actions pinned to full-length commit SHAs.
Actual Behavior
The workflow fails because
actions/github-script@v8is not pinned to a commit SHA.accessibility-scanner/action.yml
Line 137 in db51bb5