Tags: chains-project/ghasum
Tags
Help users get started after initializing Update the output of `ghasum init` to include some next steps for what to do once ghasum is done initializing. This hopefully makes it clearer to users how to use `ghasum`. Also, it provides some guidelines for how to improve this command in the future - if (some of) these steps can automated it would be helpful for the user if they don't have to do it themselves.
Continuously test `ghasum` on different runners Update the CI to test the project on macOS and Windows runners to ensure compatibility with those runners and platforms(/OSes). No compatibility issues have been identified with macOS. However, for Windows several compatibility issues found and resolved: 1. Several instances of files not being found due to incorrect filepath separators. This happens because packages like `os` require the use of OS-specific filepath separators while implementations of `fs.FS` require the use of `/` as filepath separators. Unfortunately this project still needs both APIs, so a mix of the two is necessary for now. This was not detected earlier because on Linux the OS-specific filepath separator is `/`. This is fixed by selectively using the `path` or `path/filepath` modules (which provide platform independent and dependent logic resp.). 2. If the target to verify is an absolute path it will have a `:` from the drive identifier, which ghasum would confuse for the separator between the workflow path and job. This was fixed by requiring the `:` for the start of the job identifier to appear after index 1. This avoids matching drive identifiers (which always have `:` at index 1) and always matches job identifiers for workflows (which always appear after index 1 because the workflow file name must at least include the `.yml` suffix).
Add option to disable checksums for transitive actions Allow users to opt-out of checksums for transitive actions. This enables users that depend on actions with transitive dependencies to use ghasum despite the fact that their dependencies do not (yet) pin its transitive dependencies. This allows for an improvement in security even in cases where the best security guarantees cannot be realized. This is an opt-out option because the in an ideal scenario users do not need to disable this, even if today's reality may be that most users will need to disable it.
Initial implementation This evolves the POC from the initial commit to an initial, somewhat usable, implementation of ghasum. This initial version supports an initialization command to start using ghasum in a project. A verification command to check stored checksums of a project against computed checksums for the actions used. And an update command to update the stored checksums of a project with newly computed checksums.