CI: Use hashes for GitHub actions #394
Conversation
|
This looks good to me in theory but the clear disadvantage of the approach is readability. Is there some real danger that one of the actions could be overtaken by a malicious actor? |
Hard to say. One may for sure speculate that the actions provided by GitHub may be less likely to be taken over. Regarding readability, the important thing is the version number (which will be automatically updated by dependabot). The hashes are for sure not that informative. Another aspect here is if the updated action breaks the CI, one will note that before actually updating it (assuming dependabot is used). Maybe not that likely as well, but quite convenient when it happens. Finally, it also makes sure that the latest version is running in case of a major version update. Some of the workflows were still stuck at checkout action 2. Again, maybe only rarely an actual problem, but still. To me, it makes sense, but more from a "better safe than sorry perspective" (and it is sort of good to note when the actions are updated). Not that I am actually worried about the risk as such. (I would strongly encourage using dependabot. I can add that file, but I think a maintainer will have to activate it as well.) |
See https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash for motivation why this is the safer way to handle action versions.
Also update the brunch depedency version.
One may consider activating the dependabot action, see https://github.com/apytypes/apytypes/blob/main/.github/dependabot.yml for an example (although one may consider checking weekly rather than monthly). This will create a PR to update the versions/hashes to the latest version when a new one is available.