action.yml uses:
image: 'docker://mikefarah/yq:4-githubaction'
That tag is mutable on Docker Hub. Consumers who pin the action with a commit SHA still pull this image by tag at run time, so the executed container is not fixed by the action pin.
Please pin the image by digest in action.yml (e.g. docker://mikefarah/yq:4-githubaction@sha256:…) on each release, or publish a per-release immutable tag and reference that instead.
The Dockerfile’s digest-pinned FROM lines (e.g. #2658) harden the build, but this image: line is what the runner actually resolves.
(Related: #2643 discusses container reproducibility; this issue is specifically about tag mutability for consumers who SHA-pin the action.)
action.ymluses:That tag is mutable on Docker Hub. Consumers who pin the action with a commit SHA still pull this image by tag at run time, so the executed container is not fixed by the action pin.
Please pin the image by digest in
action.yml(e.g.docker://mikefarah/yq:4-githubaction@sha256:…) on each release, or publish a per-release immutable tag and reference that instead.The Dockerfile’s digest-pinned
FROMlines (e.g. #2658) harden the build, but thisimage:line is what the runner actually resolves.(Related: #2643 discusses container reproducibility; this issue is specifically about tag mutability for consumers who SHA-pin the action.)