Closed morancj closed 1 year ago
Verification is currently provided via a signing_key
:
https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#signing_key
In theory we could also provide the ability to set a checksum directly rather than trusting the one in the GitHub release.
0.16.0
refers to a release via a tag. It is the release that contains the built artifacts (compressed binaries, checksums).
In GitHub Actions, the content is stored directly in git, rather than as release artifacts. Git provides built-in immutable identifiers for all content (commit SHAs). Releases are inherently mutable and can be referenced by ID or tag only. It's not possible to refer to releases by a commit SHA.
Maybe we need a dependency lockfile like terraform.lock.hcl
?
Yeah I'd agree that's the right solution. Finding and pasting checksums is a poor user experience and in practice leads most people opt out of integrity checking. Lock files make integrity checking part of the default workflow.
Opened https://github.com/terraform-linters/tflint/issues/1634 for the introduction of dependency lockfile. Closing this issue.
Introduction
Allow plugin version to be specified as commit hash, as well as tag. Similar to pinning GitHub Actions versions to a commit.
Proposal
For example, instead of
I'd like to be able to use
version = "fa6372da4fafa89fdc1052d966742a070a716725"
.References
https://michaelheap.com/ensure-github-actions-pinned-sha/ https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions