Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Travis to GA #109

Merged
merged 21 commits into from
Nov 30, 2020
Merged

Travis to GA #109

merged 21 commits into from
Nov 30, 2020

Conversation

prisae
Copy link
Member

@prisae prisae commented Nov 14, 2020

No description provided.

@prisae prisae mentioned this pull request Nov 14, 2020
3 tasks
@prisae prisae added the maintenance Maintaining status quo label Nov 18, 2020
@prisae prisae changed the title Travis to ga Travis to GA Nov 18, 2020
@coveralls
Copy link

coveralls commented Nov 30, 2020

Coverage Status

Coverage increased (+9.0e-05%) to 99.933% when pulling 128197a on travis-to-GA into 82c4730 on master.

@emsig emsig deleted a comment from codecov bot Nov 30, 2020
@emsig emsig deleted a comment from codecov bot Nov 30, 2020
@emsig emsig deleted a comment from codecov bot Nov 30, 2020
@prisae prisae merged commit eb0dceb into master Nov 30, 2020
@prisae prisae deleted the travis-to-GA branch November 30, 2020 15:32

- name: Coveralls
# [pin v20201129]
uses: AndreMiras/coveralls-python-action@f5fd5c309b39d01599fb92c72d4f7409ea78aec9

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not using the tag directly?

        uses: AndreMiras/coveralls-python-action@v20201129

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For security reasons. If your GitHub is compromised, someone could delete your release v20201129, create another release with the tag v20201129, and put malicious code in it. At least that is how I understood this:

pypa/gh-action-pypi-publish#27

I got a lot of my Action-yaml-ideas from https://github.com/fatiando/boule/blob/master/.github/workflows/pypi.yml - so @leouieda looked probably deeper into this issue and will correct me ;-)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very interesting idea indeed, I've never thought about it. I would never go that far even though it makes sense what you say.
Thanks for sharing

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess the important / more extensive link is in the comment of the GitHub issue I posted: https://julienrenaux.fr/2019/12/20/github-actions-security-risk/

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I’m a bit paranoid 🙂 I don’t much like the idea of giving a token to any action author out there. Not that I think you’re malicious @AndreMiras. But there are a lot of actions and I find it worrisome that GitHub has no control over this. It’s inevitable that someone will make an action at some point that steals tokens.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand your concern, isn't computer security all about being paranoid?
It's also about finding the right balance between security and productivity while keeping in mind the risk (impact/likelihood).
I for now prefer to keep it simple and readable with the tag, but I'm happy this potential flaw got brought to my attention 😃

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're absolutely right about needing a balance. For me, I've decided to use the commit hash whenever giving a token to an Action. I'm also not too worried about the official GitHub actions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
maintenance Maintaining status quo
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants