I have generally preferred to avoid using community-maintained actions as far as possible, instead installing and configuring the runners as though I would a normal machine.
This started from a desire to avoid an unknown amount of bloat and untrusted code, but also because I'm pretty tired of getting Node deprecation warnings for installing/using something that has nothing to do with JavaScript at all.
I've always installed a pinned version of Trivy of my choosing, and installed by curl | sh.
Looks like curl | sh may have saved my skin, whereas even older versions of the github action were force-pushed to install the vulnerable binary.
SahAssar•50m ago
> avoid using community-maintained actions as far as possible, instead installing and configuring the runners as though I would a normal machine.
A runner and a action are two very different things.
You could run on the default runners with no community actions, and you can run on self-hosted runners with a lot of community actions.
wilkystyle•13m ago
If you're getting hung up on "normal machine", what I meant is a computer in general that is not related to GitHub Actions at all.
If that's not the part of my message you're referring to, then your message seems completely orthogonal to what I posted.
wilkystyle•1h ago
This started from a desire to avoid an unknown amount of bloat and untrusted code, but also because I'm pretty tired of getting Node deprecation warnings for installing/using something that has nothing to do with JavaScript at all.
I've always installed a pinned version of Trivy of my choosing, and installed by curl | sh.
Looks like curl | sh may have saved my skin, whereas even older versions of the github action were force-pushed to install the vulnerable binary.
SahAssar•50m ago
A runner and a action are two very different things.
You could run on the default runners with no community actions, and you can run on self-hosted runners with a lot of community actions.
wilkystyle•13m ago
If that's not the part of my message you're referring to, then your message seems completely orthogonal to what I posted.