New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Are all our GitHub Actions safe? #3130
Comments
Stale issue message |
I don't see any self-hosted runners here: https://github.com/rear/rear/actions/runners?tab=self-hosted . |
@pcahyna |
At
I changed now the current setting
to the new setting
Let's wait and see how things behave with that new setting. How to approve workflow runs is described in |
A different topic regarding GitHub Actions: At
in the sub-section
the following is currently allowed
I wonder why we need that? So a crucial part would be whether or not it is obvious |
Automated creation of PRs looks useful for dependency updates: e.g. #3172 , although that was not submitted by a GitHub Action, it was an external bot . I don't think we need the "approve pull requests" part, I suppose it is for CI systems like Zuul. I don't think that approving a PR leads to change of the code though, as we don't have any automation to merge approved PRs automatically. |
Unfortunately at
that can be enabled or disabled as a whole.
is misleading because the 'or' looks as if one If we (at lest currently) do not use any
as a whole. |
@jsmeix sorry, I have not understood that there is a single setting for it, anyway since the dependabot PRs are not created by a GitHub Action and we don't use any other automated PRs, I believe you should disable the setting. |
Because in case of doubt I prefer to be
on @pcahyna |
By chance I noticed
https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/
I know basically nothing about GitHub Actions
so I can neither check nor verify whether or not
all those GitHub Actions that are run for ReaR are safe.
In particular I worry about those GitHub Actions
that produce so called "binaries" from our ReaR sources
like RPM packages which could be installed by users.
Is it safe for our users to install
those "binaries" on their systems?
Will those "binaries" always contain only our
unmodified ReaR sources (i.e. same as "git clone")
or might those "binaries" contain modified ReaR sources?
The text was updated successfully, but these errors were encountered: