Project benefits: impostor-commit and ref-confusion
#143
Labels
documentation
Improvements or additions to documentation
Comments
ericcornelissen
added
the
documentation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I was reading the
zizmordocs and came across the termsimpostor-commitandref-confusionand realizedghasumhelps protect against both of these. The latter is - I think - kinda obvious and partly the point of this project ("As an added benefit, it can also be used as an alternative to in-workflow commit SHA.".The former though is more interesting and something I had forgotten about. In short, GitHub threats a repository and its fork as a single network, the result being that GitHub Actions may fetch commits from forks even when you specify the original repository's name. In the
imposter-commitexample the commitc7d749a2d57b4b375d1ebcd17cfbfb60c676f18edoes not belong to theactions/checkoutrepository.ghasumprotects against this "problem"(/unexpected feature) because it will only consider exactly the repositories specified in theuses:directive.In light of this, it might make some sense to document the "benefits" of this project in addition to its Limitations.
The text was updated successfully, but these errors were encountered: