Comments (12)
Sure. Just released v1.0.9 now.
from lychee-action.
Hey @booyaa,
thanks for offering your help. That is a very interesting solution that is both easy to integrate, performant, and avoids a lot of manual work. I'd be happy to mention that workflow in the docs. Could you create a PR?
from lychee-action.
@mre To clarify the concern, it's in this line:
Line 1 in 58f63c6
Pinning the action SHA as you mentioned earlier:
- name: Link Checker
uses: lycheeverse/lychee-action@<sha>
prevents a silent attack from anything directly in the lychee-action
repository, but since lychee-action
specifies an unpinned Docker image, the user is still vulnerable if the lycheeverse/lychee:latest
tag is changed to an attack, or an erroneous tinysearch push. 😉
Adding the current SHA to the first line of the Dockerfile would prevent this:
FROM lycheeverse/lychee:latest@sha256:...
The dependabot solution @booyaa mentions sounds interesting if it can be made to work for updating that SHA.
from lychee-action.
Will write something up next Tuesday!
from lychee-action.
Would it be possible to release a new version of this action where latest
docker image isn't pulled? The above change to pin to a specific version in master branch means that users have to use lycheeverse/lychee-action@master
to avoid breaking changes in the lychee
binary, but this means they're also vulnerable to breaking changes in this repo. It would be great to have a version of the action that's not vulnerable to these kind of changes.
from lychee-action.
That's great, thanks @mre
from lychee-action.
Oh I didn't know that was possible.
Just tested; this works as expected:
docker pull lycheeverse/lychee:0.5.1-alpha@sha256:efe2bf21aca4acaf3449fcd432a0ed49ccf33c0ee9ae5c94849d5a3d430392ec
But I'm not sure I understand.
lychee-action is not pulling Docker images directly afaik? The Docker image gets pulled by Github Actions on build.
So wouldn't it be enough if people added the SHA themselves like so?
- name: Link Checker
uses: lycheeverse/[email protected]@sha256:...
It's likely that I'm missing something.
from lychee-action.
@mre I think you're right in that people using the action should do this themselves. Perhaps update the documentation? I'd be willing to have a crack at it.
Read a bit more about this security hardening strategy and it looks like people using the actions can use dependabot to automatically patch with the sha digest: https://francoisbest.com/posts/2020/the-security-of-github-actions
It's a relatively easy thing to apply
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
- package-ecosystem: "github-actions" # See documentation for possible values
directory: ".github/workflows" # Location of package manifests
schedule:
interval: "daily"
from lychee-action.
Any updates on this @booyaa? 😄
from lychee-action.
Hello there, I came here to submit a similar issue and saw this one 😃
@mre To clarify the concern, it's in this line:
Line 1 in 58f63c6
Unfortunately I'm a victim of this. In my case, there's nothing to worry about security but my CI failed out of nowhere today. It seems like lychee-action
is just pulling the latest lychee
and this causes new versions to be used as default. I can't really find a workaround for this because latest
is been there since lychee-action v1.0.1
. (71f60db)
I think it'd be best to apply @trevyn's suggestion (and maybe set a specific lychee
version in Dockerfile?).
from lychee-action.
Yup, makes sense. Would you help me out here and send a PR? 😅
from lychee-action.
Glad to help. 😊
I think we can close this. I've created a PR for mentioning dependabot in #48.
from lychee-action.
Related Issues (20)
- Typos in README HOT 1
- With two lychee-action steps in a row you get -> tar: lychee: Cannot open: File exists HOT 1
- Getting error "invalid type: boolean `false`, expected struct Verbosity" HOT 3
- Solution for "Error: Resource not accessible by integration" HOT 5
- Add default GitHub token HOT 2
- Bug: not possible to output JSON to file HOT 6
- Link Checker Report
- Parse `--output` from `--args` similar to `--format`?
- Possible to verify external URLs? HOT 4
- feat: support using nightly version HOT 6
- Allow to store `.lycheeignore` in workflows folder HOT 5
- Q: Can we check a live website online as lychee can HOT 1
- Improved GHA workflow for centralising url status reporting in single GH issue HOT 3
- The `set-output` command is deprecated HOT 4
- How to `--dump` to file? HOT 11
- Setting `output` arg does not write results to disk HOT 4
- Update to v1.9: Failed to parse configuration HOT 1
- exclude does not support multiple?
- link.yml does not appear under GitHub actions HOT 4
- Specifying lycheeVersion as "nightly" broken HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lychee-action.