Always run poetry install #1
Conversation
Because pull requests from forks can access the cache (https://docs.github.com/en/actions/guides/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache), just using the contents of the cache could potentially be a security issue if someone submits a malicious PR.
|
Actually, maybe this isn't a security issue. The worst someone could do is to change what dependencies we're using, but this wouldn't affect the package published to pypi at all. What do you think? |
|
Can't hurt. We're not running short on GH action worker time, so we might as well install fresh. Plus, perhaps they'd be able to access the PyPI secret if they were able to taint the cache in the release workflow? |
|
Is there any reason to leave the cache step at all if we don't use it during poetry install? |
Yeah, that's true.
I was guessing that poetry install will automatically check for installed dependencies and not re-download them (like what npm does), but maybe that's incorrect. Now that I think of it, though, if this is true and poetry checks for dependencies in a very simplistic way that isn't tamper-proof (such as checking package versions), then that's another potential vulnerability. |
Because pull requests from forks can access the cache (https://docs.github.com/en/actions/guides/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache), just using the contents of the cache could potentially be a security issue if someone submits a malicious PR.