Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Publish as immutable action #1485

Open
JamieMagee opened this issue Dec 17, 2024 · 2 comments
Open

Publish as immutable action #1485

JamieMagee opened this issue Dec 17, 2024 · 2 comments

Comments

@JamieMagee
Copy link

Immutable actions are a way to publish custom GitHub Actions as OCI artifacts in the GitHub container registry, as opposed to git refs. They give some better security guarantees than existing actions:

  • Provenance attestations generated using the @actions/attest package
  • Tag immutability - it will not be possible to overwrite tags once published, ensuring versions of an action can't change once in use
  • Namespace immutability - it will not be possible to delete and recreate the package with different content; this would undermine tag immutability

Currently, immutable actions are in preview, but I think it's worth investigating.

References:

@spencerschrock
Copy link
Member

spencerschrock commented Dec 17, 2024

See also, actions/publish-immutable-action#216 I'm curious how we would detect them.

whoops, thought this was the scorecard repo, not the action

@JamieMagee
Copy link
Author

JamieMagee commented Dec 17, 2024

I have a solution for that!

EDIT: commented in the linked issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants