search

ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source
https://scorecard.dev
Apache License 2.0
4.62k stars 503 forks source link

Differentiate between commit SHA and tag SHA #2132

Open jenstroeger opened 2 years ago

jenstroeger commented 2 years ago

Is your feature request related to a problem? Please describe.

Related to my question/issue https://github.com/actions/checkout/issues/874. As described there, we had pinned an Action like so:

    - name: Checkout repository
      uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28

where d065129 was an annotated tag named v3 and not an existing commit. Furthermore, folks rewrite that tag whenever a new version 3 is released so that that “pin” isn’t really a pin at all.

Describe the solution you'd like

Warn me if a SHA is not a commit SHA, i.e. if the pin can be redirected.

Describe alternatives you've considered

Manually cross-checking that the pinned Actions actually reference commit SHAs.

Additional context

Pretty please?

laurentsimon commented 2 years ago

This would be a nice improvement. Can you give an example repository? I'm not following the part that d065129 was an annotated tag named v3. The annotated tag is an object, so its commit hash would change if there was a force push to update it, no?

I've not fiddled much with annotated tags, so please bear with me :)

jenstroeger commented 2 years ago

Can you give an example repository?

If you take a look at the actions/checkout repository you’ll see that there is no commit d065129. However, there is a tag named v3 whose SHA d065129 “points at” (references, aliases, I’m unsure) a different commit whenever there’s an update.

I’m waiting for a response to that discussion in issue https://github.com/actions/checkout/issues/874#issuecomment-1207172111.

github-actions[bot] commented 1 year ago

Stale issue message - this issue will be closed in 7 days

jenstroeger commented 1 year ago

Uhm. Ping?

github-actions[bot] commented 11 months ago

This issue is stale because it has been open for 60 days with no activity.

spencerschrock commented 11 months ago

Yes, this would entirely defeat the purpose of a pinned GitHub Action. Hmm, this is similar to #2733, and a result of a GitHub implementation detail.

@laurentsimon I'm curious if we should have these API intensive tasks available as additional probes for people to run when needed, just not by default.

laurentsimon commented 11 months ago

Yes, this would entirely defeat the purpose of a pinned GitHub Action. Hmm, this is similar to #2733, and a result of a GitHub implementation detail.

@laurentsimon I'm curious if we should have these API intensive tasks available as additional probes for people to run when needed, just not by default.

+1 on having a probe for it.

github-actions[bot] commented 9 months ago

This issue is stale because it has been open for 60 days with no activity.