Ok. Thanks. I understand now. But it would be great if you would explain the context in the announcement and try to be a bit more vocal (builds@ seems like a great place to announce such changes).
It caught everyone by surprise. Again - the scenarios you explain were already discussed before (I have to now rush and fix stuff for our committers so I cannot find it quickly). I raised it a few months ago and it was a consensus to use https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions explains exactly what to do (using pinned hashes) which we rigorously follow and recommended everyone to do - to prevent exactly the scenarios you described. While I understand this approach can't be enforced (and the policy is reasonable), it could have been acted on before I think, and without such rush. J. On Sun, Dec 27, 2020 at 1:57 PM Greg Stein <gst...@gmail.com> wrote: > On Sun, Dec 27, 2020 at 6:54 AM Jarek Potiuk <jarek.pot...@polidea.com> > wrote: > >... > >> Was it as a response to some security incident that would justify such >> immediate and disruptive action without an earlier warning? What was the >> reasoning behind this? >> > > Yes. > > -- Jarek Potiuk Polidea <https://www.polidea.com/> | Principal Software Engineer M: +48 660 796 129 <+48660796129> [image: Polidea] <https://www.polidea.com/>
