I have no evidence for this whatsoever, but I have a hunch that GitHub actions could be exploited by bitcoin miners. I would be concerned that someone could create a PR and burn several cents of Apache's (or GitHub's) operational budget.
On Fri, Jan 8, 2021 at 9:53 AM Michael Mior <[email protected]> wrote: > > I suppose that is a fair concern. The restriction may at least force > folks to be aware of the potential risks. Although completely > eliminated by explicitly referencing a particular commit instead of a > tag. > -- > Michael Mior > [email protected] > > Le ven. 8 janv. 2021 à 12:30, Vladimir Sitnikov > <[email protected]> a écrit : > > > > Michael>Has there been a clear statement as to why the restrictions are in > > Michael>place? > > > > They say "for security reasons". > > > > Michael>seems like the restriction is rather pointless. > > > > My feeling exactly :-( > > > > I guess someone submitted something like > > https://julienrenaux.fr/2019/12/20/github-actions-security-risk/#the-problem > > as a security issue to the ASF, and it triggered the wave :-( > > > > I guess they mentioned that tag-based and branch-based action > > references like AdoptOpenJDK/install-jdk@v1 > > could silently change (e.g. git force push), and the action would silently > > capture > > secrets or even push something to the ASF repository. > > > > Vladimir
