Filipe Mota (BlackSpirits)
unread,Jul 12, 2026, 12:20:10 AM (5 days ago) Jul 12Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to innosetup
The manually triggered `.github/workflows/debug.yml` currently uses
`fawazahmed0/action-debug-vscode@main`.
Using a moving branch means that future upstream changes can be executed
without a corresponding change in this repository, which makes the workflow
less reproducible and harder to audit.
Pinning the action to a reviewed commit SHA would improve this, but the action
currently also downloads `print-path.js` from its own `@main` branch and
downloads other tools dynamically. Therefore, pinning only the `uses:` line
would not make the full execution path immutable.
Would you be open to one of the following approaches?
- Pin the action to an audited commit and use a version that also pins its
internal script references.
- Vendor or maintain a minimal equivalent debug step in this repository.
- Explicitly document that moving external dependencies are intentional for
this manually triggered workflow.
- Pass an explicit per-run access token instead of relying on the action's
default.
This is a workflow hardening and reproducibility suggestion, not a report of a
known compromise.