docs: explain why not using hash pinning in a GHA

Because of a demand of SLSA Generator, their action cannot be used through pinned hashing. As using tags goes agains the best practices, I'm letting explicit the reason why we are using them. Signed-off-by: Diogo Teles Sant'Anna <diogoteles08@gmail.com>
sigstore · Sep 28, 2022 · 5747562 · 5747562
1 parent 8fbd1d7
commit 5747562
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -86,6 +86,8 @@ jobs:
       actions: read   # To read the workflow path.
       id-token: write # To sign the provenance.
       contents: write # To add assets to a release.
+    # Currently this action needs to be referred by tag. More details at:
+    # https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
     with:
       attestation-name: provenance-sigstore-${{ github.event.release.tag_name }}.intoto.jsonl