-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable multi-arch builds in GHA for the main branch #161
Merged
rooftopcellist
merged 2 commits into
ansible:main
from
rooftopcellist:enable-cross-platform-build
Jan 8, 2024
Merged
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just out of curiosity, why use the commit with a comment with the tag instead of just the tag?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Alex-Izquierdo that change was made by @jon-nfc , but my guess is that it was to pin to a particular known working version of the docker login action in case a new release breaks it. However, I do not know of a specific issue why this might have been done.
The commit is correct for v3.0.0:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Alex-Izquierdo
@rooftopcellist is correct it originated from myself. Code was copied directly from github action template. However the reason for keeping it this way is very simple, Security.
A word none of us like, but must deal with. Security in this case is the prevention (reduction in probability) of supply chain attack or more correctly put limiting attack surface.
A git hash in the context of a repository will always remain the same and always be in the same location in the git history. You can not change a git hash. Even if you submit the same code in the same location in the git history, the git hash will always be different.
A Git tag is tied to a git hash. The problem with a git tag for chain of custody is that the git tag can move hashes. You can delete an existing tag and attach it to another commit hash. This is problem when using it to reference a dependency.
A hash to reference the same work as a git tag is preferable. one would hope that the developer whom used the code had reviewed the dependent repo. This I suppose you could call now a dependency in a known and "approved" state. If the hash changes, which would make it not exist, then an error will occur.
Whilst it's not impossible for a hash collision to occur, the probability of it occurring is in the order of 2^40 which is significantly larger than the tag change which anyone with access to commit can do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
addendum.
the commented tag version exists next to the hash as we are humans, and readability is important.