Comments (8)
lukasz-mitka
commented on September 7, 2024
didn't notice this: DEPRECATED this action is in maintenance-only mode and will not be accepting new features.
from action.
asottile
commented on September 7, 2024
also a dupe of #79 -- also github is moving away from dynamic version tags for actions (especially for their security implications)
from action.
lukasz-mitka
commented on September 7, 2024
@asottile if someone wanted to introduce security issue they could always overwrite full tag name e.g. v2.0.2 anyway.
You would actually need to recommend using hashes to patch that.
Can you share a link to support this?
also github is moving away from dynamic version tags for actions (especially for their security implications)
from action.
asottile
commented on September 7, 2024
- https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions
- https://docs.github.com/en/code-security/supply-chain-security/keeping-your-actions-up-to-date-with-dependabot
from action.
lukasz-mitka
commented on September 7, 2024
Thanks.
Pin actions to a full length commit SHA
Pin actions to a tag only if you trust the creator
As I expected. Regular and dynamic tags are just as secure. Might as well have one.
from action.
jpmckinney
commented on September 7, 2024
Agree with @lukasz-mitka that using a tag like @v3.0.1 is not more secure than a tag like @v3, "because a tag can be moved or deleted if a bad actor gains access to the repository storing the action", as GitHub explains.
GitHub is not "moving away" from tags like @v3. They simply provide guidance on how to be more secure by using SHAs, at https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
As for the Dependabot link, it's about keeping actions up-to-date. Right now, I get close to 100 dependabot PRs whenever there's a new major version of a common action (like actions/checkout). With pre-commit/action, I get one every time there's a new patch version. If every action did things like pre-commit/action, dependabot would be unmanageable. Having refs like @v3 means my actions are automatically up-to-date until there's a major version – this is good for security.
from action.
jpmckinney
commented on September 7, 2024
Anyway, will you be merging the main branch into the release branch (which can be used as a ref – it just doesn't have the benefit of helping users guard against breaking changes, like a well-managed v3 would) ?
from action.
asottile
commented on September 7, 2024
the release branch is legacy (v2 and earlier)
from action.
Related Issues (20)
- Positional-only parameters are only supported in Python 3.8 and greater HOT 3
- Please fix "save-state" warning (by updating actions/core?) HOT 1
- How to fix atal: could not read Username HOT 2
- Is this action still DEPRECATED? HOT 1
- v3.0.0 does not work HOT 1
- Rename component dir: predictions_to_biquery -> predictions_to_bigquery HOT 1
- Caching the pre-commit envs HOT 2
- Use of pre-commit.ci with dependencies HOT 1
- hook id: check-github-workflows is failing on "run-name:" validation HOT 1
- pre-commit/[email protected] Depends on actions/cache@v3 which is using Node 16 which is now deprecated HOT 4
- Error: Process completed with exit code 1. HOT 3
- Tagging versions HOT 1
- Disabling hooks by id HOT 2
- Action version updates - not duplicate HOT 5
- Node.js 16 actions are deprecated. HOT 1
- GHES Support HOT 1
- Deprecation of types-pkg-resources causes pre-commit to fail in pre-commit/[email protected] HOT 4
- Caching - packages are not restored properly HOT 1
- Caching - packages are not restored properly HOT 2
- Running this action in a specific directory? HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from action.