Skip to content

GitHub Actions: Remove filters to ensure tests are always run #364

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 7, 2025
Merged

GitHub Actions: Remove filters to ensure tests are always run #364

merged 4 commits into from
Apr 7, 2025

Conversation

cclauss
Copy link
Member

@cclauss cclauss commented Apr 7, 2025

Fixes: #358

  • fix required skipped CI jobs #358 is too complex (which may lead to loopholes) and requires us to give special permissions to a GitHub Action that is not verified in the Marketplace. Given GitHub Actions software supply chain attacks in recent weeks, it is better to err on the side of precaution and run tests on all pull requests.
Special permissions

@cclauss
GitHub Actions: Remove filters to ensure tests are always run
1890268 
Fixes: #358 
* #358 is too complex (which may lead to loopholes) and requires us to give special permissions to a GitHub Action that is not verified in the Marketplace.  Given GitHub Actions software supply chain attacks in recent weeks, it is better to err on the side of precaution and run tests on all pull requests.

---
@cclauss cclauss requested review from jayvdb and aaronliu0130 April 7, 2025 09:57
@cclauss cclauss mentioned this pull request Apr 7, 2025
Closed
aaronliu0130
aaronliu0130 approved these changes Apr 7, 2025
View reviewed changes
Copy link
Member

@aaronliu0130 aaronliu0130 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is the path we should take, but I won't block this from merging if you think it is, since this is a fairly big issue.

On supply-chain security concerns, we can always pin it to the latest commit (specify with and the actions settings exception as dorny/paths-filter@de90cc6 with the full hash instead of @V3, which I've just done). There is no way one would be able to modify an existing commit (even force pushes generate new ones) or fake a commit hash (Git has "second preimage resistance" which always serves the earlier commit in the very rare case of a collision). The only way we'd be supply-chain attacked with such a pin is if GitHub itself is compromised, in which case an attack through actions would be the least of our worries. The workflow also does not seem complex as it only depends on two if conditions, which are also very unlikely to compromise in any way except compromising GitHub. You do have more experience than me, though.

@cclauss
Copy link
Member Author

cclauss commented Apr 7, 2025

One less unverified dependency to worry about.

@cclauss cclauss merged commit 994273f into develop Apr 7, 2025
14 checks passed
@cclauss cclauss deleted the Remove-filters-to-ensure-tests-are-always-run branch April 7, 2025 23:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aaronliu0130 aaronliu0130 aaronliu0130 approved these changes

@jayvdb jayvdb Awaiting requested review from jayvdb

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cclauss @aaronliu0130
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy