@lupyuen what concerns me is how this got propagated to others.

GitHub Actions has no security model or vetting process. Best to pin on a sha, as versions can easily be 'recreated' to contain malicious code. I always fork and/or create my own actions.

@lupyuen

also, many actions have side-effects and/or do not document that they only work on Ubuntu-based (public) runners.

When you have self-hosted runners, disk layout, and the OS, might differ. I use CentOS/Fedora.

I also prevent the use of something like apt or dnf installs, as the OS itself is immutable.

Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.