Automated building and releasing Plugins on Github with Github Actions

cosinekitty · March 26, 2025, 3:34pm

Wow, that is wild! I thought those version tags were specific commits. I didn’t know they could be changed! It is a misleading concept of “version” if you ask me. So many vulnerabilities lurking everywhere!

Bloodbat · March 27, 2025, 12:29am

Maybe other developers will benefit from this:

“Hardening” workflow actions is rather easy; but a chore:

The repo for each action has to be visited.
The desired version tag must be selected in the “Switch branches/tags” dropdown.
The chosen commit’s SHA must be copied.
The workflow file edited to substitute the @<some_version> mutable reference to the copied SHA (the immutable reference).

Here are the changes from one of my workflows, maybe the example will be useful to some of you:

LarsBjerregaard · March 27, 2025, 8:15am

A tag is just “a pointer” to a commit, and it can be changed/removed. Tags are just descriptive labels, like bookmarks. They have never inherently carried the notion of “version”, that’s just how some people use them, in certain contexts. In git there are no “versions”, only commits and branches.

I haven’t really delved deeply into the vulnerability, but it seems to me that a user should consider:

What secrets (if any) of mine can be exposed/leaked in my workflow.
Which imported actions/code is given access to my secrets in the workflow.
Audit those and substitute tags for commits.

cosinekitty · March 27, 2025, 12:55pm

Even if we audit all the actions we use and refer to them using commit hashes instead of tags, what if those actions use other actions via tags? Then you still have a vulnerability to someone swapping good code with evil code.

LarsBjerregaard · March 28, 2025, 6:51am

Yes, I don’t know how deep that rabbit hole goes.

Steve_Russell · March 29, 2025, 10:29am

It could be tag turtles all the way down Don!!!

For those that may not have heard the term:

phantombeta · April 1, 2025, 1:39pm

With the release of 2.6.3, this workflow needs some updates.

As has already been mentioned, the Mac OS builds break now since the new SDK is separate for x64 and ARM Macs, but the Windows and Linux side needs to be updated too: It’s using a fork of VCV’s plugin toolchain image, and that fork builds against 2.5.2, so Mac will be building against 2.6.3 while Windows and Linux will build against 2.5.2.

Bloodbat · April 19, 2025, 1:39am

I made a new image with SDK 2.6.3 for Windows and Linux.

It includes the recent VCV toolchain fixes, so it produces working Windows plugins.

No image for Apples because that’s already taken care of.

If you are using qno’s image, using mine is easy, a simple edit of your workflows should get you going:

Substitute:

image: ghcr.io/qno/rack-plugin-toolchain-win-linux

for:

image: ghcr.io/bloodbat/rack-plugin-toolchain-win-linux

And… that’s it.

It’s working nicely for me, it may also work nicely for you.

So… that’s that.