🔥 3-day streak
Microsoft DevOps Engineer Expert115 / 138
Question 115 of 138

Your team's GitHub Actions workflows reference several third-party actions from the marketplace using tags such as `actions-lab/deploy@v3`. A security review flags this as a supply-chain risk because a malicious maintainer (or a compromised account) could re-point an existing tag to modified code that runs with access to your repository secrets. You must harden the workflows against tampering of already-referenced action versions while keeping the ability to receive controlled updates. Which approach best mitigates the risk?

Reviewed for accuracy · Report an issueNext question