Skip to content

feat(action): use prebuilt release binaries for commit-SHA pins#83

Merged
ErenAri merged 1 commit into
mainfrom
feat/prebuilt-sha-pin
Jul 16, 2026
Merged

feat(action): use prebuilt release binaries for commit-SHA pins#83
ErenAri merged 1 commit into
mainfrom
feat/prebuilt-sha-pin

Conversation

@ErenAri

@ErenAri ErenAri commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Problem

Pinning third-party actions by full commit SHA is the recommended practice (and what falcosecurity maintainers explicitly asked for in falcosecurity/libs#3024) — but the action's prebuilt-binary resolution only matched v* tag refs. A SHA pin silently fell back to building the validator from source, which fails on any runner without libbpf-dev:

src/main.c:3:10: fatal error: bpf/bpf.h: No such file or directory

This is exactly what broke the falcosecurity/libs lane's first dress-rehearsal run (failing run, stopgap upstream fix falcosecurity/libs#3055).

Fix

When github.action_ref is a 40-hex commit SHA, resolve it to the release tag pointing at that commit via the tags API (authenticated with the workflow's github.token to avoid shared-runner rate limits) and use that release's checksum-verified prebuilt binaries.

Fallback behavior is unchanged and graceful: no matching tag, missing jq, or any API failure → existing build-from-source path; prebuilt: never still forces source builds.

Trust model note: assets are still verified against the release SHA256SUMS (cosign-signed, see docs/verifying-releases.md) — the same model tag-pinned consumers already use. Consumers who want strictly pinned-source execution keep prebuilt: never.

Also bumps quickstart's stale v0.2.0 action pins to v0.3.0 and documents the source-build dep list.

Verification

Executed the step body verbatim (extracted from action.yml) with ACTION_REF=c7ef4fbb… (the v0.3.0 commit):

Commit c7ef4fbb39f0054876ab2d286b3a6aaf86d05499 is release v0.3.0; using its prebuilt binaries.
bpfcompat-linux-amd64: OK
bpfcompat-validator-static-linux-amd64: OK
Using prebuilt release binaries for v0.3.0.

An unknown 40-hex SHA falls through to "building from source". action.yml YAML-parses (CI gate).

v0.3.1 candidate: once released, SHA-pinned consumers get prebuilt binaries on the next pin bump and the extra apt packages in consumer workflows become unnecessary.

🤖 Generated with Claude Code

Pinning third-party actions by full commit SHA is the recommended (and
maintainer-requested) practice, but the prebuilt-binary resolution only
matched v* tag refs — a SHA pin silently fell back to building the
validator from source, which fails on runners without libbpf-dev
(bpf/bpf.h: No such file or directory). This is exactly what broke the
falcosecurity/libs lane's first dress-rehearsal run.

When the action ref is a 40-hex commit SHA, resolve it to the release
tag pointing at that commit via the tags API (authenticated with the
workflow's github.token to avoid shared-runner rate limits) and use
that release's checksum-verified prebuilt binaries. No matching tag,
missing jq, or any API hiccup falls through to the existing
build-from-source path unchanged; prebuilt: never still forces source.

Also bump quickstart's stale v0.2.0 action pins to v0.3.0 and document
the build-from-source dep list.

Verified locally by executing the step body verbatim with
ACTION_REF=c7ef4fb… (the v0.3.0 commit): resolves to v0.3.0, downloads
both assets, sha256sum -c passes, binaries installed; an unknown SHA
falls through to source build.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 15, 2026 14:45

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@ErenAri
ErenAri merged commit 018f866 into main Jul 16, 2026
8 of 9 checks passed
@ErenAri
ErenAri deleted the feat/prebuilt-sha-pin branch July 16, 2026 13:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants