Is your feature request related to a problem? Please describe.
Supply chain injections are becoming a common security flaw in CI systems and build chains. This includes:
squatting in typo-named repos
where CI tools can be compromised, pushing tags/releases that masquerade as official ones
where repos have been renamed, or changed ownership, squatting in a previous repository name
Describe the solution you'd like
ArgoCD provides multiple mechanisms to validate the authenticity of the download, with SLSA and weaker SHA256 checksums available. Using one of these to verify the provenance of the intended version improves the integrity of using the dependancy.
This would be in the code to download ArgoCD for use by this action.
Using the SLSA method is preferred as it is more secure.
Describe alternatives you've considered
Using the simpler SHA256 mechanism. Performing these actions without using this repository.
Additional context
Add any other context or screenshots about the feature request here.
Is your feature request related to a problem? Please describe. Supply chain injections are becoming a common security flaw in CI systems and build chains. This includes:
Describe the solution you'd like
ArgoCD provides multiple mechanisms to validate the authenticity of the download, with SLSA and weaker SHA256 checksums available. Using one of these to verify the provenance of the intended version improves the integrity of using the dependancy.
This would be in the code to download ArgoCD for use by this action.
Using the SLSA method is preferred as it is more secure.
Describe alternatives you've considered Using the simpler SHA256 mechanism. Performing these actions without using this repository.
Additional context Add any other context or screenshots about the feature request here.