I think the only thing that would fix this issue is for them to lose 20%+ of their customers to a competitor. Something very simple that can vacuum up the GHES migration archive and proceed as if it were 2018 again.
I'd be willing to completely sacrifice actions, project boards, copilot, et. al. if it meant I could have ultra fast views into code, issues and pulls. I really see no reason the PR view cannot be pre-rendered on the server when the branch is pushed each time. This should be an instantaneous response at review time. I don't care if it's 5 megabytes of diff - If my browser can handle the react slop, it can certainly handle a big chunk of static DOM.
If I have anyone's attention there is something related I would like to see
Please add a small thing which users can look for on the public: repo/actions page
This small thing should let users know the action was run by github like is default and not run on a custom / private action runner
The private action runner feature makes sense but many projects tell users to look to the github action history to trust that tests A, B, C passed. If the github action ran on a private action runner then you really cannot trust that what is in e.g. run.yml actually ran
The attestation feature can be used to prove that an action was run by github and not by private / custom but users need to install the github cli to validate attestations and this is a heavy ask when I think an addition icon on repo/actions page or a diff icon color will do better
> runs-on: [self-hosted, ...]
Must be added to run.yml to use custom / private action runners
I did not find these docs last time I looked and so my feature request may be already fulfilled
If anyone wants to chime in to say that `runs-on` can be relied on or not I would be grateful
I'd still bet the larger portion was it was just a particularly easy path to preventing downgrade attacks or the like though. Could always be more to it as well I'm not thinking of, just feels likely.
See the reasoning in the PEP 763 (not adopted )
Otherwise yes, leftpad/coverup risk is a thing
What you probably want instead is one-way revocation. You place a permanent marker that says "do not use this release because it is {broken, malicious, ...}".
2. A release is published to fix the bug
3. Someone malicious with access deletes the release
4. Everyone downloading the "latest" version gets the exploitable version until the developers notice and re-publish again
I think about tools used in CI systems that are often re-downloaded in each run, like `helm` or `kubectl` or `crane` for example; if they're pinning a previous version they stay exploitable, and if they're downloading the 'latest' from Github then this switcheroo keeps them exploitable. Given that a lot of emergency security releases come with disclosure ("this is being released to resolve CVE-2025-12345") another 12 hours of exploitability can be critical.
https://docs.github.com/en/code-security/supply-chain-securi...
To alleviate the issue of mutable releases I had set up a mirror of releases checksums to be able to detect releases alterations. This is not needed anymore for immutable releases.
And automatically publishing checking of releases artifacts is also a good recent change by GH: in that project mentioned above I have developed a cli downloader checking the checksums of the downloaded file [1], but to be useful, it required the project to publish checksums, and the project to be mirrored. Now both of these requirements are dropped and the tool is readily useful for all GitHub immutable releases.
> Release attestations let you verify that an artifact is authentic and unchanged, even outside GitHub. Attestations use the Sigstore bundle format, so you can easily verify releases and assets using the GitHub CLI or integrate with any Sigstore-compatible tooling to automate policy enforcement in your CI/CD pipelines. For instructions on how to verify the integrity of a release, see our docs on verifying the integrity of a release.
They are using Sigstore, which is pretty standard in this space.
On the face of it, this seems like a non-starter. If a particular immutable release represents a danger to the consumer (extreme example: the software contains a bug that could result in physical injury) one must have the ability to retract that release so that no further consumers of the software could be affected by it. It makes sense that a retraction of an immutable release should not be reversible in such a way that the release could be recreated with different contents. But retractions must be possible, for both ethical and legal reasons.
I would also argue that its not sufficient to simply apply a blanket "deny all" access control to dangerous releases (assuming such a mechanism exists), as this does not adequately convey the deprecating nature of the change (and as a result, could mistakenly be reversed in the future). Ideally the retraction itself would be immutable such that once retracted the release is inaccessible forever.
Now, it may be that all this is supported by the new feature; I haven't had the chance to test it yet. But nothing in the documentation makes this clear one way or another.
1. Unremovable
2. Uninstallable while keeping the data available
3. Removing the release completely (while keeping an audit log that this happened)
1 is for use-cases where availability trumps security. I'd argue this should never be the case but at the same time it is how our world ticks by and large. Hard to take this away from people.
2 is for security, forensics and heritage but at the cost of availability. Uninstallable could mean to only offer the artifacts in an archive.
3 must always be possible as a last resort for illegal content that slipped through all previous safeguard layers.
uses: github/codeql-action/init@8a06050a8c0348fb4738f28e0cfbb6727cf054ce # v4.31.2
uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
Microsoft does not have strict third party code review policies internally, has been hit with supply chain attacks before, and will be hit again. Consider this a nice to have feature, but give it zero trust.
hoistbypetard•7h ago
I'm glad they're doing this, and it's an unpleasant surprise that they didn't already work this way. I don't understand why they allow mutable releases.
johnisgood•7h ago
> With immutable releases, assets and tags are protected from tampering after publication
I really, really wonder how it worked before. Can anyone explain?
a022311•6h ago
Immutable releases now enable permanently locking tags and releases to make supply chain attacks harder to affect users who are using release assets from before an attack occurred.
The previous behavior is still available by the way, I'm not sure what you meant by "before".
johnisgood•6h ago
I know, I was just wondering how it worked that needed this improvement.
ItsHarper•6h ago
danudey•5h ago
2. You could delete and re-create tags with the same name, even if a release was pointing to that tag already
3. You could delete and re-create an asset that was uploaded to a release without doing any of the above.
By and large none of this is a problem on the surface, but you could imagine someone who gains access to a project's release credentials rebuilding a binary with a backdoor and replacing the existing, published version in the release with their new version after the fact.
An immutable release means that you could only inject that code during the release process by injecting the backdoor into the code itself, and since Github allows you to prevent code from entering a branch except through an approved PR and signed commits, it's possible to make that much more difficult or impractical.
johnisgood•5h ago
hk1337•6h ago
westurner•6h ago
> You can sign tags locally using GPG, SSH, or S/MIME
Git book > 7.4 Git Tools - Signing Your Work: https://git-scm.com/book/ms/v2/Git-Tools-Signing-Your-Work :jayknight•6h ago
TingPing•4h ago
westurner•4h ago
"Don’t Panic: A Playbook for Handling Account Compromise with Sigstore" (2022) https://blog.sigstore.dev/dont-panic-a-playbook-for-handling...
"Why you can’t use Sigstore without Sigstore" (2023) https://blog.sigstore.dev/why-you-cant-use-sigstore-without-... :
> Revocation in Sigstore. A recent post on this blog notes that signatures alone don’t tell you whether to trust an artifact; for that, you need a verification policy. This verification policy is a much more natural place to handle revocation than the identity layer; see Don’t Panic for an example. This allows us to avoid the scalability problems of global revocation lists (see CRLite for a discussion of these issues). The mantra here is revoke artifacts, not keys.
Artifact Attestation > Verifying an artifact attestation for binaries: https://docs.github.com/en/actions/how-tos/secure-your-work/... :
If it is not possible to retract/revoke releases then, there again, the installer MUST verify against a signed list of revoked releaseskimixa•3h ago
I'm honestly a little surprised people seem to think they might be immutable - I guess maybe if people see "git" as "Actually Github"?
GuestFAUniverse•6h ago
Nobody thought about mutable releases being utterly bad _before_? Baffles me...
As bad as hardware vendors selling products with different chips inside as the same model (hello Cisco -- at least in former times; hello HP, formerly selling at least three different, _incompatible_ laptop power supplies with the same label).
Mutability: surprise, surprise, I'm not what you expected! -- maybe one of IT's worst ideas.
bluGill•6h ago
I've done it myself, create a release, upload it, download to a different machine and discover it doesn't work there, so fix and retest. Only after all those steps do I hit send on the release announcement. This is a useful workflow (particularly the first time you release when you don't even know what you are doing).
So long as nobody abuses that mutable releases are a great thing. However a tiny minority of people are not trustworthy and so we are forced to take away a great things because of that minority.
cortesoft•5h ago
danudey•5h ago
cortesoft•4h ago
The ability to change a release is fundamentally incompatible with immutable releases, by definition. You can have one or the other, not both.
embedding-shape•5h ago
Some of us been requesting it as a feature since 2016, just because it wasn't implemented until now doesn't mean even people inside GitHub hasn't thought about it.
LumielGR•2h ago
> Thanks for the submission. We have reviewed your report and determined that it does not present a security risk. Tags and releases are not directly associated. The author lookup for a given release is done when that release is created and not upon subsequent updates. I can see how that could lead to some confusing behavior. I passed your observations on to our developers to see if we would want to change that behavior in the future. But, given that it does not present a security risk, it is not eligible for reward under the Bug Bounty program.
danudey•5h ago
hoistbypetard•5h ago
tuhgdetzhh•2h ago
edflsafoiewq•5h ago
jsiepkes•2h ago