On Tue, Dec 29, 2020 at 5:33 PM Greg Stein <gst...@gmail.com> wrote: > > One of things that we will likely do is perform a scan of any > Action/workflow .yml at commit time, to ensure that any "uses:" is defined > with a hash rather than a tag. That should prevent the kind of attack Jarek > described where Action FOO@v7 does something very different today, than it > did yesterday. >
It would be nice if we could keep using tags from known verified sources like github, microsoft, etc.. which seems to be the case now. They make fairly frequent changes to improve the stability of the actions and without a good way to know when to bump the SHA that is going to be a pain. TBH I don't see how the threat surface here is that much different than pulling down packages from pypi to npm at build time. While this change caught us off guard it was not that hard to get things moving again. It would be nice in the future changes that will very likely break things (urgent or not) would be CCd to the Incubator General mailing list. Not all of us have found our way to the right mailing lists. Thanks for helping keep the projects safe especially over the holidays! --Brennan
