Require hashes and wheels for dependencies#248
Open
sethmlarson wants to merge 6 commits intopypa:unstable/v1from
Open
Require hashes and wheels for dependencies#248sethmlarson wants to merge 6 commits intopypa:unstable/v1from
sethmlarson wants to merge 6 commits intopypa:unstable/v1from
Conversation
for more information, see https://pre-commit.ci
webknjaz
requested changes
Jul 10, 2024
Closed
|
@webknjaz could you for now build and upload the docker image, narrowing the window for a compromise and speeding up usage of the action? |
Member
|
I've been meaning to merge #230 which will allow this. It seems ready, I just haven't had time to double-check for the last time. I'd like to get to it ASAP. |
Member
|
@graingert publishing to GHCR is now implemented. |
Hooray! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Including hashes means new files won't be used as candidates during the installation phase. Requiring wheels ensures that source distributions won't be used as candidates, mitigating the potential to "downgrade" to the sdist by deleting the wheel file for a release.
Both of these options together stops an intrusion in a dependency from being able to impact this GitHub Action.