Disagreement · 0a8afccf-openai-3

Actions not pinned to a commit SHA (supply-chain hardening)

solo GPT-5

repo 6f7fc663·PR #17·reviewed 1 week ago

GPT-5 finding

Actions not pinned to a commit SHA (supply-chain hardening)

lowsecurityhigh

.github/workflows/sync-upstream.yml:21

Using floating action tags (e.g., @v4) can be replaced upstream without notice. Pinning to a specific commit SHA reduces the supply-chain risk of a compromised action release.

Recommendation

Pin third-party actions to a specific commit SHA (e.g., `actions/checkout@<commit-sha>`) and optionally use `actions/dependency-review-action` to monitor updates.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗