Comments (6)
peter-evans
commented on June 19, 2024
2
Added a section to the documentation here:
https://github.com/peter-evans/create-pull-request/blob/master/docs/concepts-guidelines.md#security
from create-pull-request.
peter-evans
commented on June 19, 2024
1
I released a new version of the action with vendored Python dependencies. They can be found here. You can re-download the dependencies to test if they match the versions I've checked in to git by running the following.
(Requires npm and Python 3)
npm install
# Remove the dist dir
npm run clean
# Javascript build (ncc) and vendor Python dependencies
npm run package
You should find that everything rebuilds/downloads and there is no git diff.
Thank you for raising this issue. From a security perspective I feel much better about having the dependencies vendored.
from create-pull-request.
mpdude
commented on June 19, 2024
1
Maybe we could add a short section in the README that points this out, add the commands there and then close here?
from create-pull-request.
peter-evans
commented on June 19, 2024
@mpdude, thanks for raising this issue.
The Javascript/Python approach might appear strange, but there are good reasons for writing it this way. For a bit of history, this action started life during the GitHub Actions early beta when workflows were HCL and you could only write container actions that ran from a Dockerfile. When beta "v2" arrived with yaml workflows and Javascript actions I decided to migrate it to the form it's in now because container actions have a number of downsides.
- Currently container actions are not multi-platform. You can only run them on linux virtual machines.
- Container actions using
image: 'Dockerfile'are very slow because they need to build the image from scratch every time the workflow runs. - Container actions using
image: 'docker://my-namespace/my-image:1.0.0'cannot be forked easily because the reference to the public Docker image remains. Being able to fork GitHub actions is important for security conscious users.
So to answer your question, I'm not in favour of reverting this action back to being a container action. However, I am interested in improving its performance. You are right that downloading Python dependencies every time is not efficient. I'm planning to test a solution that would vendor the dependencies so they would not need to be downloaded each time.
from create-pull-request.
mpdude
commented on June 19, 2024
Hey Peter, thank you for the reply!
You're right with your points against using a Docker image. In fact, the Docker image itself is not what I was after.
It's the fact that the vendors have to be downloaded on each action run, which (at least in the few observations I've made) feels a lot slower than having something "ready" from the start.
Additionally, from a security perspective, it feels a bit odd if necessary dependencies are automatically pulled at runtime. I usually have a quick scan of what an action does, but when it comes to fetching dependencies at a later time, you never know...
So, if the vendors were included (committed?) in this repo so they'd be readily available at runtime, and maybe anyone could run the "build" process themselves to see they get the same results, that would be a 💯 solution.
from create-pull-request.
mpdude
commented on June 19, 2024
Great, thank you!
from create-pull-request.
Related Issues (20)
- PR creation while checking out from tag HOT 3
- punycode module is deprecated HOT 1
- Action Fails to update existing PRs on Private repos HOT 2
- Using environment variables in `body-path` file HOT 1
- bit
- I'm confused what the `base` option is supposed to do HOT 1
- Don't require a deep fetch for forks HOT 11
- Token generated from GitHub App not working with push-to-fork HOT 4
- Default to "Squash and Merge" HOT 1
- I get error "protected branch hook declined" when I try to create a draft pull request into protected branch HOT 1
- Force update the branch of existing pull request HOT 1
- Empty PRs being created, is this expected? HOT 4
- Error creating new PR HOT 2
- `title-path` and `commit-message-path` inputs HOT 1
- `base` also does a checkout to that branch HOT 1
- Update multiple repositories HOT 2
- ignore untracked HOT 2
- NO PR created and branch changes to new branch and updates from main HOT 5
- Required checks are not being triggered after the PR creation HOT 1
- Error: Input 'token' not supplied. Unable to continue. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from create-pull-request.