Jeff Triplett on Nostr: While this is good advice, pinned GitHub Actions are not immutable because they share ...
While this is good advice, pinned GitHub Actions are not immutable because they share the same syntax as a label.
This means that someone can delete the image tied to an SHA and replace it with a label (that matches the SHA) to point it to a different image.
GitHub could fix this by migrating to a new syntax, but I suspect Docker is the underline issue here.
https://s.ovalerio.net/@dethos/112552632476543887Published at
2024-06-03 13:14:27Event JSON
{
"id": "a87579eaa3a251977131cc8ced5d6992ee71d3945167e61d78ea1f4153e0654e",
"pubkey": "9c031ba3d4464f56ce895aff6098269c9ed4ff45f2a256ac82aca11db5ca97fe",
"created_at": 1717420467,
"kind": 1,
"tags": [
[
"proxy",
"https://mastodon.social/@webology/112552867787911461",
"web"
],
[
"proxy",
"https://mastodon.social/users/webology/statuses/112552867787911461",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://mastodon.social/users/webology/statuses/112552867787911461",
"pink.momostr"
]
],
"content": "While this is good advice, pinned GitHub Actions are not immutable because they share the same syntax as a label. \n\nThis means that someone can delete the image tied to an SHA and replace it with a label (that matches the SHA) to point it to a different image. \n\nGitHub could fix this by migrating to a new syntax, but I suspect Docker is the underline issue here. https://s.ovalerio.net/@dethos/112552632476543887",
"sig": "9e5a89aa0e6b58094041e74017c4868bf80e202d55bc3a022e7869310b8c29366a094b4e6309c8e4b9e51bec6c7be1b1ada7698f12a6ecdf36cea76a1c060ebd"
}
