Closed hezhizhen closed 1 year ago
Thank you. I prefer to use commit hashes see: logseq/logseq#8393
I assume that every tag is related to a unique commit hash, and then I don't know the benefit of using hashes instead of tags. Could you please explain it a bit? Thanks.
For example, what's the difference between
actions/checkout@v3.3.0
andactions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
?
There is a comment in the linked PR that explains the reasoning
Thank you. I prefer to use commit hashes see: logseq/logseq#8393
I assume that every tag is related to a unique commit hash, and then I don't know the benefit of using hashes instead of tags. Could you please explain it a bit? Thanks. For example, what's the difference between
actions/checkout@v3.3.0
andactions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
?There is a comment in the linked PR that explains the reasoning
Oh, I missed it. Thx.
Thank you. I prefer to use commit hashes see: https://github.com/logseq/logseq/pull/8393
@Bad3r I disagree with this ask. It is not a recommend practice on the action's readme. The article referenced specifically calls out trusting the creator. We are already reliant on the github actions so of course we trust a repo created by the github action team. Using commit SHAs for repos we already trust is not something we're looking to practice on this repo. In the future, please act more like a contributor and discuss things first as you are not maintaining this repo.
@logseq-cldwalker standardization is the best practice. it should matter if you trust source x or y and not as much source z; all should follow the best security practices as outlines by GitHub security team.
We are already reliant on the github actions so of course we trust a repo created by the github action team. Using commit SHAs for repos we already trust is not something we're looking to practice on this repo.
every breach that happened to every app out there was because they trusted the source without verifying.
please act more like a contributor and discuss things first as you are not maintaining this repo
this is not called for. Specially when I am just trying to help in a topic I specialize in. This change was approved on main repo. Why couldn't we standardize things?
@logseq-cldwalker standardization is the best practice.
@Bad3r This is something for logseq employees to decide. Standardizing has tradeoffs and you don't have enough context to be advocating this
it should matter if you trust source x or y and not as much source z; all should follow the best security practices as outlines by GitHub security team. https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
The best practices in that link allow for trusting creators. That guide does not recommend not trusting anyone, that is a practice you have chosen. There is also another practice of auditing source code which I have not seen you follow in either this PR or https://github.com/logseq/logseq/pull/8393. That is also something you have chosen. We each have different security practices for a number of reasons including the amount of time we spend on it.
this is not called for.
The last time you contributed to this repo was over a year ago and your contributions aren't one of a maintainer. It is important to understand your role is one of a contributor and not a maintainer on this repo.
Specially when I am just trying to help in a topic I specialize in.
The spirit of trying to help is appreciated but asking others to implement your opinions is not, as that should be reserved for maintainers. I have also previously shared in discord on other ways to help with this repo if you are interested.
This change was approved on main repo.
Each repository has different owners and makes independent decisions. Even in that large repository, there are different owners for sub portions of it. Please don't assume otherwise
I assume that every tag is related to a unique commit hash, and then I don't know the benefit of using hashes instead of tags. Could you please explain it a bit? Thanks.
For example, what's the difference between
actions/checkout@v3.3.0
andactions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
?