You can SHA-pin the top-level action, but Palo Alto’s “Unpinnable Actions” research documented how transitive dependencies remain unpinnable regardless. The tj-actions/changed-files incident in March 2025 started with reviewdog/action-setup, a dependency of a dependency, and cascaded outward when the attacker retagged all existing version tags to point at malicious code that dumped CI secrets to workflow logs, affecting over 23,000 repos. GitHub has since added SHA pinning enforcement policies, but only for top-level references.
Two more members of the Iranian women’s football team have reportedly sought asylum in Australia after refusing to board a flight back to their home country after competing in the Women’s Asian Cup tournament.
。关于这个话题,新收录的资料提供了深入分析
sequences (ctrl+acatch_all=end_key_sequence), making it easy to build
With this change, Tantivy can instead perform a cheaper membership check for a specific doc ID without actually advancing the iterator.