[pre-commit.ci] pre-commit autoupdate (add zizmor config to allow ref-pinned actions) #16
Conversation
![pre-commit-ci[bot]](https://avatars.githubusercontent.com/in/68672?s=60&v=4){kind=small}
|
It appears we need to configure zizmar a bit (in 1.6.0 they modified the behavior for unpinned actions) |
pre-commit-ci
bot
force-pushed
the
pre-commit-ci-update-config
branch
from
e9414fd to
1cd6ed6
Compare
There was a problem hiding this comment.
Hi @Julian, would you be okay with that solution? (I don't see any point in having hash-pin actions in harnesses repo)
There was a problem hiding this comment.
I think the point is the same as "usual" no? I.e. it prevents vulnerabilities due to third party actions getting hacked. E.g. a scenario is:
- a harness uses an action
- that action gets hacked and goes unnoticed
- it gets run here which produces a vulnerable image
- that image potentially runs on someone's machine who uses bowtie
All of which isn't to say I'm fine with handling this later if need be, there are many places where we do this already (because I wasn't aware of how it could be an issue until zizmor reminded me)
So yeah feel free to merge of course!
There was a problem hiding this comment.
that image potentially runs on someone's machine who uses bowtie
I think I did not consider this point (I will take a look at pinning actions to hashes - at least those that build docker image)
There was a problem hiding this comment.
Just to point it out (since it wasn't obvious to me either!) dependabot will happily still keep the hash up to date. So actually another thing for us to consider if we're already considering this threat mode is that we should potentially not automerge github action bump PRs (and only do so for the implementation itself)?...
There was a problem hiding this comment.
But the problem (I think, at least, this is a problem) is that we have dependabot that updates actions automatically and not review happens - so, it looks like, there is no difference from having ref pinned actions like we do right now
There was a problem hiding this comment.
and only do so for the implementation itself
I think it might be a lot of work once we move all the test harnesses out of the bowtie repo
There was a problem hiding this comment.
And I don't think we will be able to handle that amount of work across all the repositories (since the frequency of updates for hash-pinned actions will be much higher than right now)
There was a problem hiding this comment.
But we can, probably, try that at least, and if we see that it does not work for us, go back to the ref-pinned actions
There was a problem hiding this comment.
I think that dependabot adds labels to PRs which says what it is bumping -- so I think it should be as "simple" as ignoring PRs with the github label in automerge? Maybe?? But yeah I'm good with whatever certainly in the short term!
There was a problem hiding this comment.
so I think it should be as "simple" as ignoring PRs with the github label in automerge?
Yes, that part should be simple. But then we need to find time to review that update (and this part might not be that simple once we move other harnesses to separate repos).
In any case, I will try to create a PR for that, merge it and then we will see whether it works for us or not
updates: - [github.com/woodruffw/zizmor-pre-commit: v1.5.2 → v1.7.0](zizmorcore/zizmor-pre-commit@v1.5.2...v1.7.0)
for more information, see https://pre-commit.ci
OptimumCode
force-pushed
the
pre-commit-ci-update-config
branch
from
dce9711 to
777480c
Compare
OptimumCode
changed the title
updates: