New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
on.<push|pull_request>.paths filter to trigger validation only on sensitive pushes #17
Comments
Have thought about it, but there are many cases where the https://github.com/jlleitschuh/ktlint-gradle You are welcome to add |
The following should cover all the cases: paths:
- **/gradle-wrapper.jar What I mean is even though GitHub Actions is free, it is not very wise to use that resource for each and every case. It might be the same for branches as well. It is just enough to trigger check if Note: AFAIK |
Pulling from the readme:
If you use a wildcard like that |
What's the point in homoglyphs?
|
It's an attack that would be very difficult to detect via visual inspection. Here's a demo/example of a homoglyph attack update PR. |
Is I assume that Gradle uses file with the exact file name. That is why if |
However, |
Notice how the attack changes the |
Just in case: what I mean by Do you think there should be another check that verifies just homoglyphs in file names? What I mean is it might be generally unexpected to have weird file names (depending on the definition on |
I somewhat describe this here, but maybe I should do a better job. When we scoped this work, we wanted to specifically focus on the The general assumption that we make about |
Well. I guess |
That doesn't always really work. Some organizations modify their We also don't publish the checksums for the |
@JLLeitschuh, it would great if the Gradle team provided crisp recommendation on path filtering, and explicitly documented it in the action's documentation. BTW. This action is great, thank you for sharing! |
We don't have a recommendation here. For the best security, don't enable path filtering. But you understand your project best. |
https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestpaths
Even though wrapper-validation-action is fast, it does produce lots of irrelevant logs (e.g. in GitHub Actions UI) for each and every pull request.
Have you considered to use
on.<push|pull_request>.paths
to reduce the scope of the validator triggering?The text was updated successfully, but these errors were encountered: