Sebastian Pipping
Sebastian Pipping
Okay wow! While there is no bug tracker, there is an e-mail address linked at https://pypi.org/project/pypeek/ if anyone needs it. @firatkiral I would like to second the request for opening...
> If you have suggestions for Peek alternatives please add them below. LIVEcap seems to play in the same realm, targets Windows and macOS (and Linux through Wine), latest release...
I would like to emphasize that even for read-only actions, a gone-malicious action could: - modify build artifacts - leak CI secrets (if secrets are used) - release/deploy/publish malicious code...
@evverx pinning makes sure that the same action code will be run every time to allow a review-once-run-multiple-times kind of workflow. That's the problem pinning solves — it makes changes...
> > That should answer 99% of your question > > I didn't ask any question regarding pinning stuff. I know what it is and what it's supposed to accomplish....
> > what exactly is your motive and role in this discussion then? > > [#2018 (comment)](https://github.com/ossf/scorecard/issues/2018#issuecomment-1324954369) @evverx either you acknowledge the security aspect of pinning for even read-only actions...
@evverx I see. I'm not sure I mind false positives in this context, I support more hardening. Your point is clear then, thanks.
@spencerschrock what I had in mind was more like: 1. `actions/upload-artifact` is used near the end of the workflow 2. a gone-malicious action _earlier_ in the workflow modifies files in...
@pnacht I can think of two scenarios in particular where using build artifacts in releases can be tempting: `make dist` (potentially combined with a wish to not leak local files...
@evverx I don't understand the question.