Ensure not to use the 'latest' tag for any GitHub actions image

Using a continuously changed tag version can result in unexpected software behavior, a supply chain attack vector, and an unrecoverable state.

Risk Level: medium
Platform: Github
Spectral Rule ID: GHAC001


Always use an exact version lock.


Bad examples:

  • use: ubuntu:@atest
  • use: npm@master
  • use: alpine

Read more:

  • TBD