SHA Pinning Is Not Enough: Poetry Edition
A few weeks ago, in the context of the Trivy incident, RoseSecurity published the article "SHA Pinning Is Not Enough", explaining how SHA pinning an action guarantees you always get the same commit, but it does not guarantee that commit is safe, not even that it was ever part of the upstream project.
This sounds odd the first time you read it. How can GitHub resolve a SHA that isn't on any branch of the official repo? The answer has to do with how GitHub manages forks: a fork shares the object storage with the parent repo, which means that any commit in any fork of the network is reachable by SHA from the upstream URL.
So I thought: if this is a GitHub-specific behavior and not a GitHub Actions one, could it happen with other tools that let you point at a commit? Like a package manager such as poetry?