This repository has been archived by the owner on Aug 2, 2023. It is now read-only.
Question: why use docker image from ghcr? #110
Comments
|
Thanks for the feedback. The change was an effort to prevent creation of tons of docker images when used in self-hosted runners. #91 I agree with your point on security considerations and it looks like we can revert back to Dockerfile as the default and self-hosted users can reference the ghcr docker image directly when using the action. How does this sound? |
|
Sounds good! |
|
Would using a sha as image tag/ref also work here? Then you could perhaps still use an immutable image. |
|
Yes, you can use sha256 to pin it for sure. uses: docker://ghcr.io/repo-sync/pull-request:v2.9or uses: docker://ghcr.io/repo-sync/pull-request@sha256:cf4c56e7a11cb9eae670c2422d9ccb6fa87e34e2a7ceafe1270ad0be872c318e |
|
Added a section to README: Docker Container Image Usage |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I see an issue with the switch to this image because a tag or commit ref to this repo becomes less secure as this docker ref could be overwritten. Also forking this action (security practice for organisations) is not really useful as the action logic is still in remote code which can change without notice.
Is my observation correct?
I cannot find any security related pages about how to protect against unknown content in container jobs.
The text was updated successfully, but these errors were encountered: