Comments (11)
webknjaz
commented on May 20, 2024
2
i see other actions (checkout, etc) make a
v1,v2branch etc . so you can useansible-lint-action@v2to get the major version, and then tagv2.0.1etc.
The security considerations of versioning are virtually unsolved in the GitHub Actions ecosystem. GitHub showcases and promotes bad practices in this regard, unfortunately. I recommend that you, as a user, not trust any tag-based or branch-based versioning in GHA and always use commit SHA. Of course, you may rely on some trusted repos like the ones GitHub maintains but nothing else. People tend to forget that tags are floating pointers to an arbitrary repo revision just as much as branches. And the end-users who rely on things like @v1 are just as responsible for this decision as GitHub that advertises it. Most folks don't understand how Git works, don't understand security, or the consequences just don't occur to them because of the lack of experience.
To make it a bit more illustrative:
- You start using
some/action@v1which points at commit XXX. - It
v1gets updated to point to XXX1 (for v1.1). - You keep using it, you get new cool features.
- A malicious actor Bob with access to that action (a maintainer even) adds a commit YYY that has some malware and points
v1at YYY. - The action keeps working, no features broken. With just a tiny difference that it steals something from you (accessing secrets) or modifies your artifacts (supply chain attack).
- Shortly after (4), Bob reverts it and points
v1to the next legitimate version v1.2 at commit XXX2 - You keep using it and don't have any suspicion that you were compromised or maybe worse.
- There are no logs or any other protection against this whatsoever. There's almost no trace in the system and no tooling to track such breaches. The log will just say that GHA checked out
v1and that's it! (Well, I guess if you know upfront that you're going to be attacked, then you'd enable debug mode in GHA and maybe it'd contain the real commit hash that got used but you're informed about this by hackers) - After some time, job logs expire and you lose any chance to notice if things went wrong (given that at least anything suspicious ends up in that log).
Now, I understand that we're on the maintenance side of the problem but nevertheless, I think it's wrong to support GH in spreading these unsecured practices. This is why I'm still looking into a more sustainable solution.
Another problem is that tags are supposed to be immutable but there's nothing in Git enforcing this so GitHub basically abuses the original purpose of tags by keeping to force-push them. This is something that contributes against traceability as demonstrated above.
I'm looking for better solutions in another project that would at least keep the tags immutable on our side (pypa/gh-action-pypi-publish#45). That's why I ended up postponing tagging things...
from ansible-lint-action.
webknjaz
commented on May 20, 2024
1
Thanks for the report! The workaround could be using with: override-deps: ... for now.
from ansible-lint-action.
webknjaz
commented on May 20, 2024
1
Merged. If you look at the README, it already has this example:
- name: Lint Ansible Playbook
uses: ansible/ansible-lint-action@master
with:
override-deps: |
ansible==2.9
ansible-lint==4.2.0from ansible-lint-action.
srl295
commented on May 20, 2024
1
@webknjaz I was just trying that when I saw you merged.
hey, would you consider tagging a release of ansible-lint-action ? (thanks for this action!)
from ansible-lint-action.
srl295
commented on May 20, 2024
also if there was a prebuilt ansible-lint-action ( #36 ) this would have been mitigated I suppose, because the prebuilt image would be used instead of using the latest every time.
from ansible-lint-action.
srl295
commented on May 20, 2024
Ref: https://unicode-org.atlassian.net/browse/CLDR-14483
from ansible-lint-action.
srl295
commented on May 20, 2024
@webknjaz Hm, not sure how that would work. I made a PR #46 …
from ansible-lint-action.
srl295
commented on May 20, 2024
i see other actions (checkout, etc) make a v1, v2 branch etc . so you can use ansible-lint-action@v2 to get the major version, and then tag v2.0.1 etc.
But just a numeric tag would be fine too so i dont have to include a specific commit
from ansible-lint-action.
srl295
commented on May 20, 2024
OK this is working for me:
- name: Lint Ansible Playbook
uses: ansible/ansible-lint-action@c37fb7b4bda2c8cb18f4942716bae9f11b0dc9bcfrom ansible-lint-action.
srl295
commented on May 20, 2024
@webknjaz fair enough…
from ansible-lint-action.
ssbarnea
commented on May 20, 2024
Closing as we already have v6 on main and soon also add a tag for it.
from ansible-lint-action.
Related Issues (20)
- (Ability to) disable verbose output HOT 2
- Couldn't resolve module/action in ansible-lint action HOT 8
- Repository not found: ansible-community/ansible-lint-action HOT 1
- Failed to discover lintable files using git: (Warning and Error) HOT 5
- fatal: detected dubious ownership in repository at '/github/workspace' HOT 10
- Please update the action with ansible-lint 6.9.0 or later HOT 2
- Warning on every run HOT 1
- The action cannot be used as a status check in a branch protection rule HOT 1
- Ansible lint not been able to use community.general.system.timezone HOT 5
- Some ansible lint rule are not checked for the playbook HOT 1
- Update to 6.14.6
- Couldn't resolve module/action error in action but not on system HOT 1
- config ignored ? HOT 2
- Link to github marketplace is broken HOT 2
- `uses: ansible/ansible-lint@v6` yields error "unable to find version `v6`" HOT 1
- Ansible-lint-action is not returning the same result as local ansible-lint HOT 1
- `ansible-lint` outdated HOT 1
- requirements.yml not loaded from given path HOT 3
- ansible-lint fails validating the .github/workflows/ansible-lint.yml HOT 3
- Update to ansible-lint 6.17.2 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-lint-action.