-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix potential github action smells #29273
Conversation
Fix gha smells - Stop running workflows when there is a newer commit in PR - Use commit hash instead of tags for action versions - Use fixed version for runs-on argument - Define permissions for workflows with external actions
permissions: | ||
contents: write |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why? This job doesn't write anything
@@ -8,10 +8,12 @@ on: | |||
jobs: | |||
validate-commit-message: | |||
name: Validate Commit Message | |||
runs-on: ubuntu-latest | |||
runs-on: ubuntu-22.04 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the point of specifying the exact runner machine? This job just validates commit messages; it doesn't build anything, so we don't care about what runs it.
steps: | ||
- name: Validate Commit Message Content | ||
uses: gsactions/commit-message-checker@v1 | ||
uses: gsactions/commit-message-checker@b88ee88552f16f594ca19cb2c7fcd90df95c9bd4 # v1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same question here. Why is it better than using a particular tag?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It has to do with security, given that code attached to a tag can be altered by malicious users whereas commits cannot. Here is a scientific paper and a blog post about potential security risks related to GitHub Actions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be mitigated by limiting the set of permissions given to this job, and you have proposed to do the opposite.
Again, the whole purpose of this job is to validate commit messages so they match a particular pattern. Nothing fancy.
I don't think these changes are worth adding. |
Hey! 馃檪
I want to contribute the following changes to your workflow:
These changes are part of a research Study at TU Delft looking at GitHub Action Smells. Find out more
closes #29272