action-allowlist-review: bump posit-dev/setup-air from 1.0.0 to 1.0.1 in /.github/actions/for-dependabot-triggered-reviews#724
Conversation
dependabot
bot
added
dependencies
|
The change suggests people using pull_request_target for the action. Which I think is not a good idea to encourage ? @raboof @dave2wave @ppkarwasz ? WDYT? |
potiuk
left a comment
potiuk
left a comment
There was a problem hiding this comment.
Requesting changes for now until we clarify if we want to merge Pull Request Target change,.
|
Looking at Air's README it installs using a shell script which is not considered the safest way to install software. |
|
I only see an example workflow that suggests people to use
[from: GitHub Documentation: Secrets] What concerns me more, is the lack of options to verify the |
GitHub Actions can only read a secret if you explicitly include the secret in a workflow. Yeah, I think in this case that might be a "justified exception" case. However I would be much more "safe" with those if we introduce the check that all actions with secrets should be run in a separate environment - that is something that I will add as a proposal to #686
Yes. This is also a concern. And we can add such check in our "verify actions" check. That's a good idea to do so - and one of the things that Astral team also does in https://astral.sh/blog/open-source-security-at-astral I will also add it as a proposal to #686 make a PR to the verify check and let's see how it report on this action, |
The binary-download check previously only covered Dockerfiles,
action.yml run-blocks and referenced shell/python scripts, and was
gated behind `if not is_js_action:` so it never fired for JS actions
at all. But JS actions commonly shell out to fetch pre-built binaries
from their own TypeScript sources (e.g. `@actions/tool-cache`'s
`tc.downloadTool`, which does NOT verify checksums).
This commit:
- Moves the binary-download check out of the non-JS branch in
`verification.py`, so it runs for every action type.
- Adds JS/TS download and verification patterns in `security.py`
(`tc.downloadTool`, `downloadTool`, bare `fetch("https://…")`,
`http(s).get/request`, `axios.*`, `new HttpClient`, `node-fetch`;
verification via `crypto.createHash`, WebCrypto `subtle.digest`,
sigstore/cosign, `verify*`/`computeHash` helpers).
- Discovers JS/TS source files via the GitHub trees API, scanning
the repo root plus conventional source dirs (`src/`, `lib/`,
`source/`, `sources/`, `scripts/`) and explicitly excluding
`dist/`, `build/`, `out/`, `node_modules/`, `coverage/`, tests,
examples and docs to keep noise down.
- Applies the "verification must appear in the same file as the
download" rule consistently with the existing shell-side check.
Confirmed against posit-dev/setup-air (PR #724): the scanner now
flags `src/download/download-version.ts` for calling
`tc.downloadTool` with no adjacent checksum/signature step, and the
overall verification exits 1.
Generated-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
@dependabot rebase |
Bumps [posit-dev/setup-air](https://github.com/posit-dev/setup-air) from 1.0.0 to 1.0.1. - [Release notes](https://github.com/posit-dev/setup-air/releases) - [Changelog](https://github.com/posit-dev/setup-air/blob/main/CHANGELOG.md) - [Commits](posit-dev/setup-air@63e80de...cf39057) --- updated-dependencies: - dependency-name: posit-dev/setup-air dependency-version: 1.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/posit-dev/setup-air-1.0.1
branch
from
5b5e75b to
2623906
Compare
When a JS action rebuilds cleanly but fails only the binary-download verification check, the RESULT panel incorrectly reported "Differences detected between published and rebuilt JS" because the failure branch selected its message on `is_js_action` rather than the actual cause. Reorder the branches to dispatch on the real failure condition: all_match=False → JS-mismatch message; otherwise binary download failures → binary-download message. Observed on PR #724 (posit-dev/ setup-air): JS row was ✓ pass, Binary row was ✗ fail, yet the RESULT panel still referenced a JS mismatch. Adds regression tests for both paths (JS action with unverified download; JS action with actual JS mismatch). Generated-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3 participants
Bumps posit-dev/setup-air from 1.0.0 to 1.0.1.
Changelog
Sourced from posit-dev/setup-air's changelog.
Commits
cf39057CHANGELOG bump for v1.0.15a6dcc4CHANGELOG bullet9c116abUse node24 inaction.yml278edc7Use Node 24 in CI689e0beBump actions/checkout from 4 to 6 (#90)4758bdcBump@biomejs/biomefrom 2.1.2 to 2.3.2 (#88)0a6f2cbBump typescript from 5.8.3 to 5.9.3 (#73)fd44413Bump actions/setup-node from 4 to 6 (#80)f1b501bBump@octokit/corefrom 7.0.3 to 7.0.5 (#71)7a09b0bBump@types/semverfrom 7.7.0 to 7.7.1 (#60)