Description
GitHub releases for the buildx project are currently mutable which is problematic when using the docker/setup-buildx-action as it downloads the buildx binary directly from the buildx GitHub releases1 and it only allows to pin the buildx version (e.g., v0.33.0) rather than pinning its full length SHA256 digest and doesn't appear to be verifying the integrity of the downloaded file prior to its execution 2 3
While this could be fixed in the action itself, the easiest way may be to enable tag immutability in the settings of the repository (https://github.com/docker/buildx) which would also avoid increasing code complexity in docker/setup-buildx-action actions and any other action or component that download straight from GitHub releases, as well supporting other use-cases that users may have other than just docker/setup-buildx-action.
Could it be possible for https://github.com/docker/buildx to enable tag immutability? Or is it tricky to implement in this project?
Description
GitHub releases for the buildx project are currently mutable which is problematic when using the
docker/setup-buildx-actionas it downloads the buildx binary directly from the buildx GitHub releases1 and it only allows to pin thebuildxversion (e.g.,v0.33.0) rather than pinning its full length SHA256 digest and doesn't appear to be verifying the integrity of the downloaded file prior to its execution 2 3While this could be fixed in the action itself, the easiest way may be to enable tag immutability in the settings of the repository (https://github.com/docker/buildx) which would also avoid increasing code complexity in
docker/setup-buildx-actionactions and any other action or component that download straight from GitHub releases, as well supporting other use-cases that users may have other than justdocker/setup-buildx-action.Could it be possible for https://github.com/docker/buildx to enable tag immutability? Or is it tricky to implement in this project?
Footnotes
https://github.com/docker/actions-toolkit/blob/aef1d233d6bd390a5df40888f0020be23bb122c1/src/buildx/install.ts#L319-L341 ↩
https://github.com/docker/actions-toolkit/blob/aef1d233d6bd390a5df40888f0020be23bb122c1/src/buildx/install.ts#L71-L113 ↩
https://github.com/docker/setup-buildx-action/blob/21162887f0d6e25b4e8eafb0cf44cf9bf7f6acd3/src/main.ts#L54-L69 ↩