Affected File: .github/actions/homescreen-build/action.yml
toyota-connected / ivi-homescreen-plugins / .github / actions / homescreen-build / action.yml
uses: actions/checkout@v5
uses: actions/cache/restore@v4
uses: actions/cache/save@v4
Risk: Using mutable version tags (e.g., @v5) rather than pinned commit SHAs allows a compromised or malicious update to the actions/checkout action to execute arbitrary code in the build environment. This is a supply chain attack vector.
Recommendation: Pin all third-party action references to a specific commit SHA:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v5.2.0
Affected File: .github/actions/homescreen-build/action.yml
toyota-connected / ivi-homescreen-plugins / .github / actions / homescreen-build / action.yml
Risk: Using mutable version tags (e.g., @v5) rather than pinned commit SHAs allows a compromised or malicious update to the actions/checkout action to execute arbitrary code in the build environment. This is a supply chain attack vector.
Recommendation: Pin all third-party action references to a specific commit SHA: