-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Travis to GA #109
Travis to GA #109
Conversation
|
||
- name: Coveralls | ||
# [pin v20201129] | ||
uses: AndreMiras/coveralls-python-action@f5fd5c309b39d01599fb92c72d4f7409ea78aec9 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not using the tag directly?
uses: AndreMiras/coveralls-python-action@v20201129
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For security reasons. If your GitHub is compromised, someone could delete your release v20201129
, create another release with the tag v20201129
, and put malicious code in it. At least that is how I understood this:
pypa/gh-action-pypi-publish#27
I got a lot of my Action-yaml-ideas from https://github.com/fatiando/boule/blob/master/.github/workflows/pypi.yml - so @leouieda looked probably deeper into this issue and will correct me ;-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very interesting idea indeed, I've never thought about it. I would never go that far even though it makes sense what you say.
Thanks for sharing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess the important / more extensive link is in the comment of the GitHub issue I posted: https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I’m a bit paranoid 🙂 I don’t much like the idea of giving a token to any action author out there. Not that I think you’re malicious @AndreMiras. But there are a lot of actions and I find it worrisome that GitHub has no control over this. It’s inevitable that someone will make an action at some point that steals tokens.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand your concern, isn't computer security all about being paranoid?
It's also about finding the right balance between security and productivity while keeping in mind the risk (impact/likelihood).
I for now prefer to keep it simple and readable with the tag, but I'm happy this potential flaw got brought to my attention 😃
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're absolutely right about needing a balance. For me, I've decided to use the commit hash whenever giving a token to an Action. I'm also not too worried about the official GitHub actions.
No description provided.