Update Actions in CI and add Dependabot configuration#1843
Update Actions in CI and add Dependabot configuration#1843tyrasd merged 6 commits intoopenstreetmap:mainfrom
Conversation
|
I am unsure how much super-frequent update risks (dependency hijacking) should be based against risks of slow updates (some serious issues being patched) |
|
for reference, this was also discussed extensively over at the iD repo: see e.g. openstreetmap/iD#11103 (review) |
|
and openstreetmap/iD#11103 (comment) by @k-yle seems quite convincing to me |
|
Especially
enables a convincing way to social engineer problems and given that these actions are controlled by github itself, then risks of socially engineered repinning are greater than hijacking of real action |
|
Also, proposed rule "manual updates of Actions SHA should be prohibited" rule is by itself violated by this very PR. |
|
And if maintainers are supposed to remember to never merge human PRs changing hashes, then could comments reminding about this can be added above hashes? I am pretty sure that I will not remember it in few months, to say nothing about maintainers that never reviewed this PR. |
|
🍱 Your pull request preview is ready Please use this preview to check your changes. Ideally use the test documentation template and document your test results by commenting on the PR. This will speed up the review process for everyone. FYI, once this PR is merged, you can use the iD Editor Preview to test your changes in interaction with all other changes. |
Well, it should be a general guideline, even if this PR was not merged: Any PR from an external contributor that changes a version of a dependency to some hash should always be treated extremely cautiously. For this PR I checked all hashes manually, and they are indeed correct. |
tyrasd
added
the
waitfor-pr-merge
|
Hi all, sorry for the slow answer, and thank you both for the time spent on this PR !
Well, you need to start somewhere, don't you ? ;) But I totally agree with you, don't take my PR at face value. A potential middle ground would be to at least use the full semantic version for each Actions, without the digest, and let Dependabot do its job. Currently, with only providing the major version, you do not have a reproducible pipeline (you can run one day with v4.0.1, and the next with v4.0.2 for example, which in theory should not introduce any regression if the Action follows proper semantic versionning, but then you are back to the problem of supply chain attack, if your pipeline runs often, an hijacked v4.0.2 would not be noticeable for you).
Thank you, appreciate the review ! :) |
tyrasd
removed
the
waitfor-pr-merge
3 participants
Description, Motivation & Context
Hi there ! :)
This pull request updates the project's continuous integration configuration by extending Dependabot's monitoring capabilities. The change ensures that GitHub Actions used within the repository are automatically checked for updates on a daily basis, same as the NPM current configuration.
This PR also update the current Actions used to their latest versions available, and use the recommended best practice to pin each version to their release SHA hash. Dependabot is able to update the hash of future releases and update the comment to reflect which semantic version it corresponds to.