Currently, the workflow uses version tags (e.g., @v4) for actions. This can lead to non-deterministic builds and opens a potential supply chain risk if the tag is updated with breaking or malicious changes.
I suggest pinning these actions to a specific commit SHA to ensure reproducible and secure workflows.
Currently, the workflow uses version tags (e.g., @v4) for actions. This can lead to non-deterministic builds and opens a potential supply chain risk if the tag is updated with breaking or malicious changes.
I suggest pinning these actions to a specific commit SHA to ensure reproducible and secure workflows.