Giter VIP home page Giter VIP logo

Comments (8)

lukasz-mitka avatar lukasz-mitka commented on September 7, 2024

didn't notice this: DEPRECATED this action is in maintenance-only mode and will not be accepting new features.

from action.

asottile avatar asottile commented on September 7, 2024

also a dupe of #79 -- also github is moving away from dynamic version tags for actions (especially for their security implications)

from action.

lukasz-mitka avatar lukasz-mitka commented on September 7, 2024

@asottile if someone wanted to introduce security issue they could always overwrite full tag name e.g. v2.0.2 anyway.
You would actually need to recommend using hashes to patch that.

Can you share a link to support this?

also github is moving away from dynamic version tags for actions (especially for their security implications)

from action.

asottile avatar asottile commented on September 7, 2024

from action.

lukasz-mitka avatar lukasz-mitka commented on September 7, 2024

Thanks.

Pin actions to a full length commit SHA
Pin actions to a tag only if you trust the creator

As I expected. Regular and dynamic tags are just as secure. Might as well have one.

from action.

jpmckinney avatar jpmckinney commented on September 7, 2024

Agree with @lukasz-mitka that using a tag like @v3.0.1 is not more secure than a tag like @v3, "because a tag can be moved or deleted if a bad actor gains access to the repository storing the action", as GitHub explains.

GitHub is not "moving away" from tags like @v3. They simply provide guidance on how to be more secure by using SHAs, at https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

As for the Dependabot link, it's about keeping actions up-to-date. Right now, I get close to 100 dependabot PRs whenever there's a new major version of a common action (like actions/checkout). With pre-commit/action, I get one every time there's a new patch version. If every action did things like pre-commit/action, dependabot would be unmanageable. Having refs like @v3 means my actions are automatically up-to-date until there's a major version – this is good for security.

from action.

jpmckinney avatar jpmckinney commented on September 7, 2024

Anyway, will you be merging the main branch into the release branch (which can be used as a ref – it just doesn't have the benefit of helping users guard against breaking changes, like a well-managed v3 would) ?

from action.

asottile avatar asottile commented on September 7, 2024

the release branch is legacy (v2 and earlier)

from action.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.