Vendor in third party actions #3
Comments
|
We should also vendor in kerl |
|
Vendoring in |
|
@paulo-ferraz-oliveira Yeah, I should have noted, I have no idea what vendoring in an action looks like, so it may be hmm, not great 😢 You made the call out : Their dependencies. Ahh, that makes me sad, so maybe pinning is the best effort. |
|
I'll still leave this open until I check it further. There's several options here:
My real preference goes to 1. (2. and 3. are in order of preference, too) but that will surely imply a higher maintenance cost. |
|
I'd even vendor actions/checkout (and I did try, but I ran into issues regarding folder manipulation, so rolled back on my experiment). In any case it'd be good to get rid of that to: one less dep. and I don't consider GitHub-issued code to be more secure than any other 3rd party, fwiw. |
|
Check what's needed in https://github.com/jelly-beam/otp-macos/settings/actions, under Allow specified actions and reusable workflows. It's only 3 actions for now. |
One way the building of artifacts is vulnerable to attack is via third party actions. There's a lot of trust in that chain.
Optimally, we vendor in and audit at the time of vendoring each third party action we use.
We should also look to reduce third-party actions. As an example, we're using shellcheck right now, that's very nice, but we could also run shell check locally and reduce the surface area of attack.
If we find that too cumbersome in some instances we can still at lock a third party action at a particular sha (i.e.,
use foo@sha). See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions for more details on that.Edit: when we pull stuff in (via
curl,wgetorgit) verify that the origin is Ok by comparing SHA checksums or whatever is available.The text was updated successfully, but these errors were encountered: