DOC: Advocate for using action from tagged release commit shas #13
Conversation
matthewfeickert
added
the
documentation
| @@ -11,12 +11,25 @@ jobs: | |||
| steps: | |||
| ... | |||
| - name: Upload wheel | |||
| uses: scientific-python/upload-nightly-action@main | |||
| uses: scientific-python/upload-nightly-action@8f0394fd2aa0c85d7364a9958652e8994e06b23c # 0.1.0 | |||
There was a problem hiding this comment.
could this be a major version instead, the same we do for checkout, or python, or etc?
There was a problem hiding this comment.
It depends on how much you trust the project; releases / tags can be removed and replaced, while SHAs are a bit harder to fake. But if you trust official releases made by the org, and you just want to review the new action to make sure nothing big changed, versions are fine.
There was a problem hiding this comment.
well, I would rather like to think that the releases made in the scientific-python org are official and trustworthy :)
There was a problem hiding this comment.
(after all, we all use a lot of main actions, e.g. the artifact upload one, which is I agree is not super ideal as a best practice)
There was a problem hiding this comment.
In that case, if you trust that bunch, versions seem fine ;)
There was a problem hiding this comment.
I think that @ksunden gave a good and concise summary in matplotlib/matplotlib#26023 (comment). This is not about trusting orgs or not trusting orgs. It is about trying to be extra security cautious for anything that is publishing distributions to any package index. Is this overkill? Yeah, for sure in my mind, but it also seems like a pattern with no downsides other than you have to have your eyes track a little further across the screen to read the associated tag.
after all, we all use a lot of main actions, e.g. the artifact upload one, which is I agree is not super ideal as a best practice
I will fully agree with you though that tags are better than main, and patch version tags are better than major version tags. Though I'm also willing to agree that there should be additional security hardening than using a latest tag Docker image
upload-nightly-action/Dockerfile
Line 1 in dbd5a4d
and so using the SHAs only really helps later releases (0.1.0 is the first commit in the repo). Also this GHA has no CI at all yet. 😬
There was a problem hiding this comment.
Thanks for the detailed reply. To make this bikeshed really shiny, could I ask you to include some of Kyle's concise commentary as a comment in this readme? Or even just the link you have above would be useful.
There was a problem hiding this comment.
Sure. I'm in meetings all day today though (on phone now) so feel free to add with the "Add a suggestion" tools and then accept and merge the suggestion if people would like this to get done before tomorrow.
matthewfeickert
force-pushed
the
docs/recommend-use-of-tags
branch
from
f6c122b to
4de6747
Compare
| @@ -11,12 +11,25 @@ jobs: | |||
| steps: | |||
| ... | |||
| - name: Upload wheel | |||
| uses: scientific-python/upload-nightly-action@main | |||
| uses: scientific-python/upload-nightly-action@8f0394fd2aa0c85d7364a9958652e8994e06b23c # 0.1.0 | |||
There was a problem hiding this comment.
Thanks for the detailed reply. To make this bikeshed really shiny, could I ask you to include some of Kyle's concise commentary as a comment in this readme? Or even just the link you have above would be useful.
* For security best practices, advocate that users of the action use it from known commit SHAs that correspond to tagged releases. * Advocate that users use a Dependabot config file to update the action on new tags. This will bump the commit SHA and also bump the release tag in the comment of the commit SHA. - c.f. https://learn.scientific-python.org/development/guides/gha_basic/#updating
* 'Intregration' -> 'Integration'
matthewfeickert
force-pushed
the
docs/recommend-use-of-tags
branch
from
4de6747 to
7d347c3
Compare
README.md
Outdated
| <!-- c.f. https://github.com/scientific-python/upload-nightly-action/pull/13 and | ||
| https://github.com/matplotlib/matplotlib/pull/26023#discussion_r1212539700 | ||
| for short summary of why using commit SHA --> | ||
|
|
There was a problem hiding this comment.
@bsipocz ...and after a long delay given too many meetings and weekend travel this is in now. Look good?
|
Feel free to follow-up on this in a future PR, but this looks like it is already a good improvement. Thanks!! |
Resolves #7