Embed mill wrapper script#752
Conversation
|
@exoego sorry for the double pr - I realized the previous pr could be a breaking change for some users of scala-steward and mill. Thank you for your understanding |
|
@lemony312 Then, please create a revert PR first so it can be reviewed quickly |
|
#754.
|
action.yml
Outdated
| mill-wrapper-url: | ||
| description: | | ||
| Url to download the mill wrapper script from. | ||
| default: https://raw.githubusercontent.com/com-lihaoyi/mill/refs/heads/main/mill |
There was a problem hiding this comment.
I am afraid this may lead to security breach if attacker replaced the script with malicious one.
Such cases are happening in OSS ecosystem in recent years.
Can this download URL include git SHA or something, so that we can ensure a trusted version is used?
If user of this action is eager to use the latest, such adventure is still allowed by setting https://raw.githubusercontent.com/com-lihaoyi/mill/refs/heads/main/mill at their own risk.
There was a problem hiding this comment.
that is a good call out - the only reason I opted to download it install directly embedding the mill wrapper is because of my experience with its instability - newer versions would just break the entire script.
I think I will embed the mill wrapper directly - this is commonly used in mill projects, and give an optional parameter to download a specific version just in case.
Does that sound alright?
lemony312
force-pushed
the
embed-mill-wrapper
branch
from
63c6bf4 to
262c514
Compare
- Add embedded mill binary and mill-wrapper-url input - Install mill in pre step, always add to PATH - Use bundled mill by default, download from URL when provided
lemony312
force-pushed
the
embed-mill-wrapper
branch
from
74616a0 to
c5d12c0
Compare
- Add mill-version input back as deprecated (no breaking changes) - Remove mill from dist folder, keep only at repo root - Add dist/mill to gitignore, rm from build output - Update getBundledMillPath for correct resolution from dist/
lemony312
force-pushed
the
embed-mill-wrapper
branch
from
c5d12c0 to
9bab1d6
Compare
- Remove dist from git tracking - CI builds dist at runtime; release workflow adds it to tag commits
|
A snapshot release has been created as You can test it out with: uses: scala-steward-org/scala-steward-action@snapshots/752It will be automatically recreated on any change to this PR. |
|
2 participants
Problem
the current version pre emptivly downloads the latest version of mill into the container. If a project uses a different version of mill than the default, it can break mill's incremental compilation and start throwing compiler errors that do not exist in the repo.
Solution
Embed the mill wrapper script directly in the action. The wrapper script handles version detection and bootstrapping automatically and does not preemptively download a mill version.
Changes