change actions to retrieve action by commit hash instead of version tag.

Azure-Samples / Speech-Service-Actions-Template

Use this template to create a repository to develop Azure Custom Speech models with built-in support for dev ops and common software engineering practices via GitHub Actions. Train, test, and release new Custom Speech models automatically as training data is updated. Version data, test results, endpoints, models, and more out of the box.

MIT License

21 stars 9 forks source link

change actions to retrieve action by commit hash instead of version tag. #51

Closed Joll59 closed 4 years ago

Joll59 commented 4 years ago

actions have an inherent security flaw highlighted by this blog post, a working solution is to retrieve the action via the commit hash. This poses a different type of security flaw, but one with a much higher barrier for circumvention.

Currently only addressed for actions that are external to Microsoft and GitHub, that we've taken a dependency on. GitVersion via GitTools. installation of GitVersion retrieved via commit hash. Including an execution of GitVersion retrieved via commit hash

Joll59 commented 4 years ago

Approved, but can you provide a run that shows this change has no functional affect?

A run demonstrating the 2 actions above can be found here The failed step is a forced exit by me to reduce pipeline testing time.