Pin third party action to hash (#106)

Third party actions should never not be pinned to a hash. Otherwise, in case the action repo is taken over by a malicious actor, they can change what runs in all of the workflows that julia-actions/cache is used in as well. Pinning to a hash prevents that.
2026-02-12 09:26:53 +08:00 · 2024-01-18 16:21:26 +01:00
parent 3e0649aaee
commit 216aaef29a
1 changed files with 1 additions and 1 deletions
--- a/action.yml
+++ b/action.yml
@@ -52,7 +52,7 @@ runs:
  using: 'composite'
  steps:
    - name: Install jq
-      uses: dcarbone/install-jq-action@v2.1.0
+      uses: dcarbone/install-jq-action@8867ddb4788346d7c22b72ea2e2ffe4d514c7bcb
      with:
        force: false  # Skip install when an existing `jq` is present