Proposal: Harden external dependencies in the debug workflow

28 views
Skip to first unread message

Filipe Mota (BlackSpirits)

unread,
Jul 12, 2026, 12:20:10 AM (5 days ago) Jul 12
to innosetup
The manually triggered `.github/workflows/debug.yml` currently uses
`fawazahmed0/action-debug-vscode@main`.

Using a moving branch means that future upstream changes can be executed
without a corresponding change in this repository, which makes the workflow
less reproducible and harder to audit.

Pinning the action to a reviewed commit SHA would improve this, but the action
currently also downloads `print-path.js` from its own `@main` branch and
downloads other tools dynamically. Therefore, pinning only the `uses:` line
would not make the full execution path immutable.

Would you be open to one of the following approaches?

- Pin the action to an audited commit and use a version that also pins its
  internal script references.
- Vendor or maintain a minimal equivalent debug step in this repository.
- Explicitly document that moving external dependencies are intentional for
  this manually triggered workflow.
- Pass an explicit per-run access token instead of relying on the action's
  default.

This is a workflow hardening and reproducibility suggestion, not a report of a
known compromise.

Martijn Laan - Inno Setup

unread,
Jul 13, 2026, 2:38:43 AM (4 days ago) Jul 13
to innosetup
Hi,

GitHub Actions are disabled all together on our repos, but I will remove this workflow, even though it wouldn't automatically even if GitHub Action would be enabled.

Greetings,
Martijn

Op 12-7-2026 om 02:46 schreef Filipe Mota:
known compromise. --
You received this message because you are subscribed to the Google Groups "innosetup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to innosetup+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/innosetup/9dfa0b66-1330-40ea-9c35-cf426cf02f39n%40googlegroups.com.

Reply all
Reply to author
Forward
0 new messages