Hi, thanks for poutine — great tool!
I was trying to pin the action (boostsecurityio/poutine-action) by commit SHA (following GitHub's supply chain best practices) and ran into something unexpected: the latest tagged release v0.15.2 points to commit 84c0a0d, but that commit is no longer reachable from main. It looks like the branch has received several dependabot bumps since then (up to poutine v1.1.2) without new release tags being created.
This means pinning to the latest release SHA gets flagged by zizmor as both impostor-commit and ref-version-mismatch:
# Tag exists but points to an orphaned commit
gh api repos/boostsecurityio/poutine-action/git/ref/tags/v0.15.2 --jq '.object.sha'
# 84c0a0d32e8d57ae12651222be1eb15351429228
# Latest commit on main is much newer
gh api repos/boostsecurityio/poutine-action/commits --jq '.[0] | {sha: .sha[0:12], message: .commit.message}'
# a563bfa02c3e — "Updated to poutine v1.1.2 (#24)"For now I'm pinning to the main HEAD directly, but it would be great to have a proper tagged release to reference.
Cheers!
Hi, thanks for poutine — great tool!
I was trying to pin the action (
boostsecurityio/poutine-action) by commit SHA (following GitHub's supply chain best practices) and ran into something unexpected: the latest tagged releasev0.15.2points to commit84c0a0d, but that commit is no longer reachable frommain. It looks like the branch has received several dependabot bumps since then (up to poutine v1.1.2) without new release tags being created.This means pinning to the latest release SHA gets flagged by zizmor as both
impostor-commitandref-version-mismatch:For now I'm pinning to the
mainHEAD directly, but it would be great to have a proper tagged release to reference.Cheers!