diff --git a/README.md b/README.md index b897ffee..a8dcb0cc 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,10 @@ See the [development guide](DEVELOPMENT.md) for how to add support for new tool. The `@v` and `@` tags are updated with each release. If you want to enhance workflow stability and security against supply chain attacks, consider using the `@v..` tag or their hash to pin the version and regularly updating with [dependency cooldown]. Since all releases are immutable, pinning the version in either way should have the same effect. Pinning `@` tags by hash is strongly discouraged, as it causes the workflow to reference a [commit that is not present on the repository](https://docs.zizmor.sh/audits/#impostor-commit) when a new version is released. +The default fallback (cargo-binstall) is often affected by GitHub's API rate limits, so we [pass the `${{ github.token }}` to cargo-binstall](https://github.com/taiki-e/install-action/issues/561). Disabling the cargo-binstall fallback prevent passing token so helps enhance security. + +See the [Supported tools section](#supported-tools) for how to ensure that fallback is not used. + ### Security on installation from GitHub Releases @@ -124,8 +128,6 @@ When installing with `tool: ` or `tool: @ See the linked documentation for information on security when installed using [snap](https://snapcraft.io/docs) or [cargo-binstall](https://github.com/cargo-bins/cargo-binstall#faq). -The default fallback (cargo-binstall) is often affected by GitHub's API rate limits, so we pass the `${{ github.token }}` to cargo-binstall. Disabling the cargo-binstall fallback prevent passing token so helps enhance security. - See the [Supported tools section](#supported-tools) for how to ensure that fallback is not used. ## Compatibility