github-actions-ensure-sha-pinned-actions
setup-msys2
github-actions-ensure-sha-pinned-actions | setup-msys2 | |
---|---|---|
1 | 2 | |
33 | 268 | |
- | 5.2% | |
7.6 | 7.0 | |
12 days ago | 4 days ago | |
JavaScript | JavaScript | |
MIT License | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
github-actions-ensure-sha-pinned-actions
-
GitHub Actions by Example
Def a real concern.
If anyone is interested to mitigate it yourself, these are helpful :)
https://docs.github.com/en/actions/creating-actions/about-cu...
https://github.com/dependabot/dependabot-core/issues/2835
https://github.com/zgosalvez/github-actions-ensure-sha-pinne...
https://github.com/timmeinerzhagen/dependabot-sha-comment-ac...
setup-msys2
-
Getting Started with Git Bash
Other pages provide complementary information on that same topic.
Another thing I appreciated was the explanation of MSYS2's environments:
https://www.msys2.org/docs/environments/
Being able to painlessly switch away from MSVCRT to UCRT was helpful in solving some UTF-8 difficulties I was experiencing at the time.
Package management with pacman is rather pleasant, and the setup-msys2 GitHub Action makes it simple to provide your GHA workflow with the tools and libs you want:
https://www.msys2.org/docs/package-management/
https://packages.msys2.org/queue
https://github.com/msys2/setup-msys2
-
GitHub Actions by Example
> Actions reduce workflow steps by providing reusabe[sic] “code” for common tasks. To run an action, you include the uses keyword pointing to a GitHub repo with the pattern {owner}/{repo}@{ref} or {owner}/{repo}/{path}@{ref} if it’s in a subdirectory. A ref can be a branch, tag, or SHA.
Aside from the typo, I wonder how many packages could be backdoored at once, if an action maintainer went rogue, seeing as there's no pinning for actions by default, and (according to https://github.com/msys2/setup-msys2/blob/main/HACKING.md) moving a tag is the default way to push updates to an action. (Interestingly get-cmake/run-cmake/run-vcpkg are all operated by the same person.)
What are some alternatives?
ghactionsbyexample - GitHub Actions by Example
WSL - Issues found on WSL
github-script - Write workflows scripting the GitHub API in JavaScript
tip - GitHub Action to keep a 'tip' pre-release always up-to-date
dependabot-core - 🤖 Dependabot's core logic for creating update PR's.
toast - Containerize your development and continuous integration environments. 🥂
dependabot-sha-comment-ac
tiny-differentiable-simulator - Tiny Differentiable Simulator is a header-only C++ and CUDA physics library for reinforcement learning and robotics with zero dependencies.
github-actions-ensure-sha-pinne