Continuously validate ghasum checksums at the job level #36
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Remove the GitHub Actions workflow that continuously validates the ghasum checksums for all Actions in this project in favor of a per-job step that validates the ghasum checksums for that job only. This reduces makes jobs self-validating, which prevents potentially compromised jobs from executing while allowing other jobs to keep running. The implementation leverages GitHub Actions context values to determine what job to validate, resulting in an identical step in all jobs. This makes it a good proof of concept for a ghasum action that can be used in any job. This commit is a followup to <2effc08890ff0aaa80d46a390489693b3c3deddc>.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Followup to #17
Relates to #2, #4
Summary
Remove the GitHub Actions workflow that continuously validates the ghasum checksums for all Actions in this project in favor of a per-job step that validates the ghasum checksums for that job only. This reduces makes jobs self-validating, which prevents potentially compromised jobs from executing while allowing other jobs to keep running.
The implementation leverages GitHub Actions context values to determine what job to validate, resulting in an identical step in all jobs. This makes it a good proof of concept for a ghasum action that can be used in any job.
Because of how this is implemented it is still NOT QUITE preventing running potentially compromised actions. In particular, because it requires this project's source code and correct Go version the
actions/checkoutandactions/setup-go(respectively) must be run first.