search

reflectivity / analysis

Data analysis for Neutron and X-ray Reflectometry
https://www.reflectometry.org/
Creative Commons Zero v1.0 Universal
0 stars 4 forks source link

CI: update all gha actions #78

Closed andyfaff closed 5 days ago

andyfaff commented 5 days ago

Updates made with gha-update package

andyfaff commented 4 days ago

The gha-update package does hashes by default. Using a script is nice because it does all actions automagically. Also hashes are more secure. If the action author makes a point release then if you're using something like v4 then you automatically start using that. If there's a security problem with that point release you're exposing the repo to that. If the repo permissions aren't locked down then that can create issues. By contrast hashes are fixed to a single version. Using an updater script every so often seems like a good balance.

bmaranville commented 4 days ago

Good points... I try to stick mostly to actions provided directly by GitHub (where one might worry less about hijacked version tags) but it's also nice to offload some maintenance to gha-update

bmaranville commented 4 days ago

...though it seems like we're now trusting the gha-update package to not be malicious, instead

andyfaff commented 4 days ago

Sort of. You can check easily that youre not using a different action (unless there's a typosquat change). A single hash version is less likely to have a problem.

andyfaff commented 4 days ago

https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash