uBlock icon indicating copy to clipboard operation
uBlock copied to clipboard
verified publisher icon gorhill

gh workflow assign-pr: pin

Open ryanbr opened this issue 9 months ago • 6 comments

From; https://github.com/brave/uBlock/commit/e7e7277d0a9561e08c5cdcff7b93bd6d70efe917 Author; @thypon

Context for fix: https://x.com/ramimacisabird/status/1903068773411631426

ryanbr avatar Apr 04 '25 01:04 ryanbr

@gorhill looks okay?

ryanbr avatar Apr 14 '25 06:04 ryanbr

I am not worried about @actions/checkout, unlike some more obscure actions, and pinning to a specific version is a double edge solution: security fixes past the pinned version would be left out. I prefer to keep the current workflow as is.

gorhill avatar Apr 14 '25 11:04 gorhill

@thypon thoughts? ^

ryanbr avatar Apr 15 '25 04:04 ryanbr

Quoted from @thypon;

  • I agree that action/checkout is a minor. softprops/action-gh-release is not an official github action, and is vulnerable to supply chain attacks as much as tj-actions in this case.
  • Moreover renovate is able to manage these updates with the following config.
{
  "extends": [
      "config:recommended",
      "helpers:pinGitHubActionDigestsToSemver",
      ":pinDevDependencies"
  ]
}

This will:

  • shield against the most supply chain attacks
  • make the supply chain reproducible, and not break at these behind the scene bumps

ryanbr avatar Apr 19 '25 10:04 ryanbr

Ok, so if you can revert the changes to actions/checkout@v4, I will pull the changes for softprops/action-gh-release@v2.

gorhill avatar Apr 19 '25 10:04 gorhill

Done @gorhill

ryanbr avatar Apr 27 '25 00:04 ryanbr