Fix potential github action smells #29273
Conversation
Fix gha smells - Stop running workflows when there is a newer commit in PR - Use commit hash instead of tags for action versions - Use fixed version for runs-on argument - Define permissions for workflows with external actions
| permissions: | ||
| contents: write |
There was a problem hiding this comment.
Why? This job doesn't write anything
| @@ -8,10 +8,12 @@ on: | |||
| jobs: | |||
| validate-commit-message: | |||
| name: Validate Commit Message | |||
| runs-on: ubuntu-latest | |||
| runs-on: ubuntu-22.04 | |||
There was a problem hiding this comment.
What's the point of specifying the exact runner machine? This job just validates commit messages; it doesn't build anything, so we don't care about what runs it.
| steps: | ||
| - name: Validate Commit Message Content | ||
| uses: gsactions/commit-message-checker@v1 | ||
| uses: gsactions/commit-message-checker@b88ee88552f16f594ca19cb2c7fcd90df95c9bd4 # v1 |
There was a problem hiding this comment.
Same question here. Why is it better than using a particular tag?
There was a problem hiding this comment.
It has to do with security, given that code attached to a tag can be altered by malicious users whereas commits cannot. Here is a scientific paper and a blog post about potential security risks related to GitHub Actions
There was a problem hiding this comment.
This can be mitigated by limiting the set of permissions given to this job, and you have proposed to do the opposite.
Again, the whole purpose of this job is to validate commit messages so they match a particular pattern. Nothing fancy.
|
I don't think these changes are worth adding. |
Hey! 馃檪
I want to contribute the following changes to your workflow:
These changes are part of a research Study at TU Delft looking at GitHub Action Smells. Find out more
closes #29272