Re-add CI releases #41
Labels
enhancement
New feature or request
Comments
|
Pls whitelist these actions |
|
Sorry for the delay. Whitelisted the hash |
Thank you! I think there might be a few actions that need to be whitelisted, but I'm unsure |
Yep, that's a good start but the workflow uses a couple more actions that need whitelist: # Doesn't touch github_token
- fjogeleit/yaml-update-action@v0.10.0,
- oddstr13/jellyfin-plugin-repository-manager@master,
# Uses token but I've reviewed the pinned version
- softprops/action-gh-release@50195ba7f6f93d1ac97ba8332a178e008ad176aa,
- kevinjil/jellyfin-plugin-repo-action@v0.4.0
I checked the format for the actions whitelist, here's the specification needs to be added to whitelist the actions used in the workflow: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Originally posted by @9p4 in #39 (comment)
When I opened the PR, kevin hadn't merged my changes into his upstream, they should be at parity now though
it's valid to be paranoid of supply chain attacks, but I don't know how to fully answer this -
Short answer is - I think so
I'm in direct correspondence with the authors + contribute to the actions directly concerned with building
Re. The actions concerned with GitHub API that use tokens, the version is pinned to a specific tag, which should be sufficient to ensure we can at least rely on the version were running.
Mostly they seem to have minimal dependencies, too
I'll have to check that in more depth, but I can vouch for the current state of Kevin's action at the very least
Your review is as good as mine for the rest
The text was updated successfully, but these errors were encountered: