I suppose that is a fair concern. The restriction may at least force folks to be aware of the potential risks. Although completely eliminated by explicitly referencing a particular commit instead of a tag. -- Michael Mior [email protected]
Le ven. 8 janv. 2021 à 12:30, Vladimir Sitnikov <[email protected]> a écrit : > > Michael>Has there been a clear statement as to why the restrictions are in > Michael>place? > > They say "for security reasons". > > Michael>seems like the restriction is rather pointless. > > My feeling exactly :-( > > I guess someone submitted something like > https://julienrenaux.fr/2019/12/20/github-actions-security-risk/#the-problem > as a security issue to the ASF, and it triggered the wave :-( > > I guess they mentioned that tag-based and branch-based action > references like AdoptOpenJDK/install-jdk@v1 > could silently change (e.g. git force push), and the action would silently > capture > secrets or even push something to the ASF repository. > > Vladimir
