search

ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source
https://scorecard.dev
Apache License 2.0
4.36k stars 476 forks source link

BUG: workflow commands are not pinned #1334

Open laurentsimon opened 2 years ago

laurentsimon commented 2 years ago

We're not pinning our dependencies in the Makefile commands run in workflow. Some example include all the additional tooling: it's currently stored under tools and is installed by running: cd tools; cat tools.go | grep _ | awk -F'"' '{print $$2}' | xargs -tI % go install %

This does not use the tools/go.sum because it runs all install as go install github.com/XXX. We should be pinning these dependencies properly.

I've started adding pinning in https://github.com/ossf/scorecard/pull/1332 for license check.

laurentsimon commented 2 years ago

@naveensrinivasan do you agree with my claim?

naveensrinivasan commented 2 years ago

@naveensrinivasan do you agree with my claim?

Maybe not! go proxy caches the version of the deps and shouldn't change AFAIK.

Maybe @rsc can clarify my assumption.

laurentsimon commented 2 years ago

We're using a shell script to manually extract the dependencies to install. There must be a better way to do that, I hope