Merge pull request github#24286 from github/repo-sync

Octomerger · web-flow · commit 44396293edee · 2023-03-03T15:35:45.000-08:00
repo sync
diff --git a/content/actions/learn-github-actions/finding-and-customizing-actions.md b/content/actions/learn-github-actions/finding-and-customizing-actions.md
@@ -47,7 +47,7 @@ You can search and browse actions directly in your repository's workflow editor.
 
 ## Adding an action to your workflow
 
-You can add an action to your workflow by referencing the action in your workflow file. 
+You can add an action to your workflow by referencing the action in your workflow file.
 
 You can view the actions referenced in your {% data variables.product.prodname_actions %} workflows as dependencies in the dependency graph of the repository containing your workflows. For more information, see “[About the dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).”
 
@@ -159,7 +159,7 @@ steps:
 
 ### Using SHAs
 
-If you need more reliable versioning, you should use the SHA value associated with the version of the action. SHAs are immutable and therefore more reliable than tags or branches. However this approach means you will not automatically receive updates for an action, including important bug fixes and security updates. You must use a commit's full SHA value, and not an abbreviated value. This example targets an action's SHA:
+If you need more reliable versioning, you should use the SHA value associated with the version of the action. SHAs are immutable and therefore more reliable than tags or branches. However, this approach means you will not automatically receive updates for an action, including important bug fixes and security updates. You must use a commit's full SHA value, and not an abbreviated value. {% data reusables.actions.actions-pin-commit-sha %} This example targets an action's SHA:
 
 ```yaml
 steps:
diff --git a/content/actions/security-guides/security-hardening-for-github-actions.md b/content/actions/security-guides/security-hardening-for-github-actions.md
@@ -176,7 +176,7 @@ You can help mitigate this risk by following these good practices:
 
 * **Pin actions to a full length commit SHA**
 
-  Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
+  Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. {% data reusables.actions.actions-pin-commit-sha %}
 
 * **Audit the source code of the action**
 
diff --git a/data/reusables/actions/actions-pin-commit-sha.md b/data/reusables/actions/actions-pin-commit-sha.md
@@ -0,0 +1 @@
+When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+When selecting a SHA, you should verify it is from the action's repository and not a repository fork.`