Context
`release.yml` uses `tauri-apps/tauri-action@v0` — a mutable major-version tag. Anyone with write access to that tag (a compromised maintainer account, a hijacked release pipeline) could ship malicious code into our release builds, which then get signed with our Apple Developer ID and notarized.
Action
- Find the latest commit SHA of the action: visit https://github.com/tauri-apps/tauri-action/commits/v0
- Replace `uses: tauri-apps/tauri-action@v0` with `uses: tauri-apps/tauri-action@ # v0.x.x`
- Dependabot (already configured for `github-actions`) will open PRs to bump the SHA when new versions land.
Why
OWASP CI/CD top 10 #4: insufficient flow control mechanisms (third-party action supply chain). For a code-signed desktop release, this is a real risk surface.
Context
`release.yml` uses `tauri-apps/tauri-action@v0` — a mutable major-version tag. Anyone with write access to that tag (a compromised maintainer account, a hijacked release pipeline) could ship malicious code into our release builds, which then get signed with our Apple Developer ID and notarized.
Action
Why
OWASP CI/CD top 10 #4: insufficient flow control mechanisms (third-party action supply chain). For a code-signed desktop release, this is a real risk surface.