slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

[bug] Strict input checking

Open ianlewis opened this issue 2 years ago • 4 comments

GitHub actions don't validate that inputs were passed to an action even if the input is marked as required.

We should be more strict about input checking and produce errors if the inputs were not given.

For example, a call to secure-project-checkout-go could omit the go-version input even though it's required. This would result in an empty value being passed to setup-go which would install the "latest version" as determined by setup-go.

      - name: Checkout the Go repository                                                                                                                                                                                                                                                                                                                                   
        uses: ./__BUILDER_CHECKOUT_DIR__/.github/actions/secure-project-checkout-go                                                                                                                                                                                                                                                                                        
        with:                                                                                                                                                                                                                                                                                                                                                              
          path: __PROJECT_CHECKOUT_DIR__

ianlewis avatar Apr 02 '23 23:04 ianlewis