I have generally preferred to avoid using community-maintained actions as far as possible, instead installing and configuring the runners as though I would a normal machine.
This started from a desire to avoid an unknown amount of bloat and untrusted code, but also because I'm pretty tired of getting Node deprecation warnings for installing/using something that has nothing to do with JavaScript at all.
I've always installed a pinned version of Trivy of my choosing, and installed by curl | sh.
Looks like curl | sh may have saved my skin, whereas even older versions of the github action were force-pushed to install the vulnerable binary.
They're right though, using a self-hosted runner has nothing to do with using community actions or not.
Installing with curl and sh can be done in a github public runner just as well.
5 comments
This started from a desire to avoid an unknown amount of bloat and untrusted code, but also because I'm pretty tired of getting Node deprecation warnings for installing/using something that has nothing to do with JavaScript at all.
I've always installed a pinned version of Trivy of my choosing, and installed by curl | sh.
Looks like curl | sh may have saved my skin, whereas even older versions of the github action were force-pushed to install the vulnerable binary.
> avoid using community-maintained actions as far as possible, instead installing and configuring the runners as though I would a normal machine.
A runner and a action are two very different things.
You could run on the default runners with no community actions, and you can run on self-hosted runners with a lot of community actions.
If that's not the part of my message you're referring to, then your message seems completely orthogonal to what I posted.