GitHub Actions: Remove filters to ensure tests are always run#364
GitHub Actions: Remove filters to ensure tests are always run#364
Conversation
Fixes: #358 * #358 is too complex (which may lead to loopholes) and requires us to give special permissions to a GitHub Action that is not verified in the Marketplace. Given GitHub Actions software supply chain attacks in recent weeks, it is better to err on the side of precaution and run tests on all pull requests. ---
There was a problem hiding this comment.
I don't think this is the path we should take, but I won't block this from merging if you think it is, since this is a fairly big issue.
On supply-chain security concerns, we can always pin it to the latest commit (specify with and the actions settings exception as dorny/paths-filter@de90cc6 with the full hash instead of @V3, which I've just done). There is no way one would be able to modify an existing commit (even force pushes generate new ones) or fake a commit hash (Git has "second preimage resistance" which always serves the earlier commit in the very rare case of a collision). The only way we'd be supply-chain attacked with such a pin is if GitHub itself is compromised, in which case an attack through actions would be the least of our worries. The workflow also does not seem complex as it only depends on two if conditions, which are also very unlikely to compromise in any way except compromising GitHub. You do have more experience than me, though.
|
One less unverified dependency to worry about. |
Fixes: #358