Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems a bit sad that GitHub's perms model isn't more finely grained here. This gives permission to update the commit hash of the
mainbranch, for example.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @Smaug123 if it counts - this is giving
writepermission only to this specific job, it's not possible to leverage this permission outside of this jobThis is required as we are modifying/publishing releases which are part of this repo
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This job executes external code that you do not have control of:
actions/download-artifact@v4andncipollo/release-action@v1. Attacks on that code will be able to make arbitrary use of thewritepermission.It is good practice to pin actions to a specific commit (not a tag like
v1that can change over time) plus a thorough review of that commit's code.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with that, but it conflicts with
dependabotor any other dependency management that might want to update the action to the latest one due to security reasons or new featuresIt's up to the maintainer to decide whether he should be responsible for checking latest versions of the source code for any actions in this job, or having that in mind when merging PRs from tools like
dependabotThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dependabot supports those commit versions as well, it keeps suggesting latest versions (here commits). Example: EnricoMi/publish-unit-test-result-action#473
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We haven't reached a point where we should distrust the tags yet. If we did, a problem would be a lot bigger than what we are discussing here, and there would be hundreds of PRs opened in this org alone to mitigate the issue. I do agree with the practice, but not so far to block PR from merging (i am aware it's approved). I will add though that when it comes to github actions (official and 3rd party), that we plan to have proxy actions in place of those, where we would do exactly what is mentioned (pin to a commit, and update to the next if review of the changes allows it). That will generate a lot of PRs over time as expected. I hope this gives some level of serenity
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Having just checked what that action does, a single line of curl would be simpler and easier to review :P
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
True that 😅