Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
support: execution from hashref disabled/broken vs GitHub Actions Security Best Practice?
See original GitHub issueChecklist
- I am using the latest version of this action.
- I have read the latest README and followed the instructions.
- I have read the latest GitHub Actions official documentation and learned the basic spec and concepts.
Describe your question
Why is execution from the main branch latest hashref disabled/broken when this is the GitHub Actions Security Best Practice to pin 3rd party github actions to an immutable hashref?
I’ve already seen issues #84 and #98 but there wasn’t any reason given in those tickets other than using v2 / v3 tags, but this contradicts GitHub’s own security recommendations to not use tags for 3rd parties, see this doc section:
Is it intentional to break execution from main branch hashref or is this a mistake, and if intentional, why?
Update: I had assumed that the latest main hashref would contain the fixes in v3, but for now I’ll try using peaceiris/actions-gh-pages@068dc23d9710f1ba62e86896f84735d869951305 which is the v3 tag’s current hashref for immutability.
Relevant links
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
Relevant log output
No response
Additional context.
No response
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@peaceiris thanks for the reply, I also figured out after posting this that instead of taking the SHA of the latest trunk branch, I could use the SHA of a release instead to achieve the same effect while still using a SHA instead of a tag, as per GitHub Actions Security Best Practice.
Thanks for the reply here, closing.
This issue has been LOCKED because of it being resolved!
The issue has been fixed and is therefore considered resolved. If you still encounter this or it has changed, open a new issue instead of responding to solved ones.
<div align="right">Log | Bot Usage</div>