In our organization, we cache all of our plugins into our build image so they can be used locally (without having to git clone a repository for each plugin). This saves on bandwidth and helps us ensure we know what we're running in our pipelines. I just submitted a PR (#139) and noticed that every invocation of this plugin is making a call to this repository to download a go binary, which puts a hole in our caching strategy, but also reads like a big security issue. I'm not sure I need to detail why this isn't a great idea, but are there plans to make this an offline plugin versus needing to download a binary to execute a command hook?
Hi there,
First off, thanks for this plugin. We use it and have been happy with its purpose for some time now.
I wanted to bring up a concerning section of code (to us) in hopes this can be addressed:
https://github.com/monebag/monorepo-diff-buildkite-plugin/blob/3f65d099261bf9680da137cc4cabc363bcabcb8d/hooks/command#L74-L103
In our organization, we cache all of our plugins into our build image so they can be used locally (without having to
git clonea repository for each plugin). This saves on bandwidth and helps us ensure we know what we're running in our pipelines. I just submitted a PR (#139) and noticed that every invocation of this plugin is making a call to this repository to download a go binary, which puts a hole in our caching strategy, but also reads like a big security issue. I'm not sure I need to detail why this isn't a great idea, but are there plans to make this an offline plugin versus needing to download a binary to execute a command hook?Thanks and looking forward to hearing back.