docker auth: improve missing user/pwd by Frankkkkk · Pull Request #706 · docker/login-action (original) (raw)
Curious question: the dist file are so large; how do you make sure that a malicious user didn't embed some nefarious content in it ?
We have a scanner and CodeQL running as well to avoid that. Also considering our dependencies tree we are quite confident we consume vetted packages:
| "dependencies": { |
|---|
| "@actions/core": "^1.10.1", |
| "@aws-sdk/client-ecr": "^3.529.1", |
| "@aws-sdk/client-ecr-public": "^3.529.1", |
| "@docker/actions-toolkit": "^0.23.0", |
| "http-proxy-agent": "^7.0.2", |
| "https-proxy-agent": "^7.0.4" |
| }, |
Subsidiary one: how do you deal with conflicts on MRs ? Do all contributors always have to rebase on every change on main?
Yes indeed this is currently painful but no other choice atm. GitHub plans to change that in the future to use GitHub Packages to ship actions instead (was told about this two years ago though).