Split unpinned-uses into two separate checks #205
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
funnelfiasco
commented
Nov 26, 2024
woodruffw
reviewed
Nov 26, 2024
woodruffw
reviewed
Nov 26, 2024
woodruffw
reviewed
Nov 26, 2024
|
Thanks @funnelfiasco! The overall approach here LGTM; I left a couple of nits. If you want to run |
|
Updated based on feedback:
Todo, pending approval of these changes:
|
funnelfiasco
force-pushed
the
issue179-pedantic_unpinned_checks
branch
from
60afb21 to
c4c86d6
Compare
funnelfiasco
changed the title
|
Rested, tested, and ready for review |
funnelfiasco
changed the title
|
Thanks! I'll do a review pass tomorrow. |
woodruffw
reviewed
Nov 28, 2024
woodruffw
reviewed
Nov 28, 2024
1. A Medium-severity for entirely unpinned 2. A Low-severity for pinned to branch or tag (since this can be a vector for a supply chain attack) Signed-off-by: Ben Cotton <[email protected]>
This updates several tests that broke in the process Signed-off-by: Ben Cotton <[email protected]>
Signed-off-by: Ben Cotton <[email protected]>
funnelfiasco
force-pushed
the
issue179-pedantic_unpinned_checks
branch
from
c4c86d6 to
0581fb9
Compare
|
Updated based on feedback |
woodruffw
approved these changes
Nov 28, 2024
There was a problem hiding this comment.
Thanks, LGTM! I thought about it a bit more and I'm mildly worried that having the unhashed() check by default (vs. pedantic) is going to cause too much alert fatigue for most CI users. But that's not a blocker here, since this is a good impetus for me to rethink the sensitivity defaults/flags.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Here's my first pass at implementing #179. The code is there and functional, AFAICT. I've tested it against a real workflow file that uses repo paths. I don't have any handy that use Docker, but if I understand the model correctly, it's very straightforward to check it and so my code will Just Work™.
I will add tests and docs before I remove the "WIP" from this, but I wanted to make sure what I've done here is generally acceptable before I put effort into that part.Since most of the "what to do if we find an unpinnedusesof either flavor" is repetitive, I tossed in a flag instead of repeating that code.There's a lot of "not" in the new function I created in the model. It could have been written a little more cleanly without the negations, but that kept the usage the same as in the existing
unpinned(), which seemed more important.Of note, this only looks to see if the pin looks like a SHA. It does not attempt to verify that such a SHA actually exists. You probably expect that, but I wanted to be explicit about it (and I will be in the docs updates, when I create them)
Edit to add: I have also not run fmt or clippy yet, since it seemed like something that could wait until I got a thumbs up on the general direction.Fixes #179