feat(action): use prebuilt release binaries for commit-SHA pins#83
Merged
Conversation
Pinning third-party actions by full commit SHA is the recommended (and maintainer-requested) practice, but the prebuilt-binary resolution only matched v* tag refs — a SHA pin silently fell back to building the validator from source, which fails on runners without libbpf-dev (bpf/bpf.h: No such file or directory). This is exactly what broke the falcosecurity/libs lane's first dress-rehearsal run. When the action ref is a 40-hex commit SHA, resolve it to the release tag pointing at that commit via the tags API (authenticated with the workflow's github.token to avoid shared-runner rate limits) and use that release's checksum-verified prebuilt binaries. No matching tag, missing jq, or any API hiccup falls through to the existing build-from-source path unchanged; prebuilt: never still forces source. Also bump quickstart's stale v0.2.0 action pins to v0.3.0 and document the build-from-source dep list. Verified locally by executing the step body verbatim with ACTION_REF=c7ef4fb… (the v0.3.0 commit): resolves to v0.3.0, downloads both assets, sha256sum -c passes, binaries installed; an unknown SHA falls through to source build. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Pinning third-party actions by full commit SHA is the recommended practice (and what falcosecurity maintainers explicitly asked for in falcosecurity/libs#3024) — but the action's prebuilt-binary resolution only matched
v*tag refs. A SHA pin silently fell back to building the validator from source, which fails on any runner withoutlibbpf-dev:This is exactly what broke the falcosecurity/libs lane's first dress-rehearsal run (failing run, stopgap upstream fix falcosecurity/libs#3055).
Fix
When
github.action_refis a 40-hex commit SHA, resolve it to the release tag pointing at that commit via the tags API (authenticated with the workflow'sgithub.tokento avoid shared-runner rate limits) and use that release's checksum-verified prebuilt binaries.Fallback behavior is unchanged and graceful: no matching tag, missing
jq, or any API failure → existing build-from-source path;prebuilt: neverstill forces source builds.Trust model note: assets are still verified against the release
SHA256SUMS(cosign-signed, see docs/verifying-releases.md) — the same model tag-pinned consumers already use. Consumers who want strictly pinned-source execution keepprebuilt: never.Also bumps quickstart's stale
v0.2.0action pins tov0.3.0and documents the source-build dep list.Verification
Executed the step body verbatim (extracted from action.yml) with
ACTION_REF=c7ef4fbb…(the v0.3.0 commit):An unknown 40-hex SHA falls through to "building from source".
action.ymlYAML-parses (CI gate).v0.3.1 candidate: once released, SHA-pinned consumers get prebuilt binaries on the next pin bump and the extra apt packages in consumer workflows become unnecessary.
🤖 Generated with Claude Code