Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strengthen git checks #11

Open
TomHennen opened this issue Jan 7, 2025 · 2 comments
Open

Strengthen git checks #11

TomHennen opened this issue Jan 7, 2025 · 2 comments

Comments

@TomHennen
Copy link
Contributor

@zachariahcox notes:

We should check that:

the repo is at the correct revision (git rev-parse head) is the same as the expected actions git sha
and that the checked out revision hasn't been modified (git status returns nothing)

Otherwise people might do something shady?
@TomHennen
Copy link
Contributor Author

Question: is this actually required if the reusable workflow does the checkout? Would it even be possible for someone to mess with things?

@mlieberman85
Copy link
Member

I'm assuming we're talking about during attestation generation? If so then yeah the reusable workflow would be the trusted actor and if someone could mess with the checkout then they could just as easily mess with git or the output of git.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mlieberman85 @TomHennen