Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't use cache in CI. #6985

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Conversation

dcampbell24
Copy link
Contributor

No description provided.

@sylvestre
Copy link
Contributor

I'm sorry, but it requires further explanation of the reasons why.

@dcampbell24
Copy link
Contributor Author

The update of zizmor has a new error: error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack.

See https://woodruffw.github.io/zizmor/audits/#cache-poisoning and https://woodruffw.github.io/zizmor/audits/#remediation_13 for the details. It suggests removing all caching.

@sylvestre
Copy link
Contributor

yeah, but I think it is unlikely + they recommend disabling it for release workflows.
I think you removed it everywhere, no?

@dcampbell24
Copy link
Contributor Author

I removed it everywhere zizmor was complaining about it. I think that was everywhere in CICD.yml. It says you ought to remove it everywhere you intend to publish build artifacts.

@sylvestre
Copy link
Contributor

yeah, but i am not convinced we should follow the tool blindly :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants