Problem
The slsa-framework/slsa-github-generator reusable workflow in pages-deploy.yml (line ~782) is referenced by tag only:
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
While #100 will replace this entirely with actions/attest@v4.1.0, the tag-only reference is a supply chain risk in the interim. Tag references are mutable — a compromised tag could inject malicious code into the attestation workflow.
Proposed Solution
SHA-pin the existing reference until #100 lands:
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@bcb39c1a0aa1e68c09f445acae2ca1116e301104 # v2.1.0
Acceptance Criteria
Notes
This is an interim fix. Issue #100 will remove this reference entirely. If #100 is implemented first, this issue can be closed as superseded.
Dependencies
Problem
The
slsa-framework/slsa-github-generatorreusable workflow inpages-deploy.yml(line ~782) is referenced by tag only:While #100 will replace this entirely with
actions/attest@v4.1.0, the tag-only reference is a supply chain risk in the interim. Tag references are mutable — a compromised tag could inject malicious code into the attestation workflow.Proposed Solution
SHA-pin the existing reference until #100 lands:
Acceptance Criteria
slsa-framework/slsa-github-generator@v2.1.0SHA-pinned with version commentslsa-framework/slsa-github-generatorv2.1.0 release tagNotes
This is an interim fix. Issue #100 will remove this reference entirely. If #100 is implemented first, this issue can be closed as superseded.
Dependencies