Open bsipocz opened 1 month ago
I would only pin the version if the package has dependabot setup for GitHub Actions workflows.
But in the meantime we are talking about supply chain security, so using a master branch for anything anywhere doesn't feel like a best practice.
Maybe I'm misunderstanding what your concerns are, but if something malicious were pushed to the master branch of this repo, that would also affect anyone using a pin with dependabot, once they merge the dependabot PR.
that would also affect anyone using a pin with dependabo
Not if hashes are used.
This has been part of recent discussions, e.g. here and references therein: https://github.com/scientific-python/summit-2024/issues/9#issuecomment-2099059865
Ahh, also, I wonder if you noticed that the repo has been moved. Therefore using master
from larsoner
's fork won't necessarily pick up the most recent master branch from now on. And that is the main motivation for this issue and not the master
part of the url.
Yes, I understand that. My comment was based on your "2)".
And it looks like it was moved properly (with a redirect), so unless @larsoner actually does make a fork, the old references should continue to work.
Not if hashes are used.
I guess in the sense that dependabot would stop working entirely? I would recommend against that, especially for this repo, which has historically required many fixes to fix breakages caused by GitHub and CircleCI changing various things.
For me, pinning against master, or using a version pin with dependabot is all about being able to get bugfixes (which could include security fixes) from this workflow. The main difference with dependabot is you can verify things still work before upgrading, whereas with a master
pin things might break accidentally without warning.
As far as reproducible builds are concerned, is this workflow being used for packaging? My understanding is that it is primarily used to serve development documentation, since GitHub Actions does not allow hotlinking to files in artifacts but CircleCI does.
I guess in the sense that dependabot would stop working entirely?
Dependabot can work with hashes just fine.
And it looks like it was moved properly (with a redirect), so unless @larsoner actually does make a fork, the old references should continue to work.
FWIW I forked but with -fork
appended to the name for exactly that reason, didn't want to break the redirect 👍
There are 200+ packages using
uses: larsoner/circleci-artifacts-redirector-action@master
.We may want to consider opening PRs for them to update it to 1) the new location 2) using a numerical version, or even the hash for the latest release.
https://github.com/search?q=larsoner%2Fcircleci-artifacts-redirector-action%40master+NOT+is%3Afork+path%3A.github&type=code