|
|
|
|
|
|
by jepler
999 days ago
|
|
|
my tldr: If an action was originally at org1/name1 but was transferred to org2/name2, git operations using org1/name1 (including fetching actions) continue to work, silently redirected to org2/name2. This is true right up until org1/name1 is created again, at which time the redirect is removed. This allows a (potentially new!) org1 to upload whatever they like and replace the action. It doesn't matter if you trusted org1 "back then" and trust org2 now, new-org1 gets to determine what is in your action. Because transitive dependency graphs are so sprawling, you might just be vulnerable to this. Using actions "@hex-ref" may help with this somewhat but it's not a magic bullet and has its own downsides. Yet another reason to write dumb github actions (e.g., that avoid doing anything more sophisticated than run shell commands), imo. |
|
|