剛剛看到 GitHub 去年 10 月的 immutable release 功能,可以鎖定對應的 Git tag 與所有附件,禁止對其變更或刪除。
When you enable immutable releases, the following protections are enforced:
- Git tags cannot be moved or deleted: Once an immutable release is published, its associated Git tag is locked to a specific commit and cannot be changed or removed.
- Release assets cannot be modified or deleted: All files attached to the release (such as binaries and archives) are protected from modification or deletion.
聽起來對於供應鏈下游多了一絲絲安全,至少攻擊者得發佈新版才能汙染下游,維持版本且有對版本驗證的下游就不會受到影響。
那對於開發者/維護者來說呢?
官方對於上傳附件的最佳實踐是:建立 release 草稿 -> 上傳附件 -> 發佈 release
但如果附件依賴 CI/CD 生成,immutable release 功能就需要做點改變,因為 release 的草稿階段不會觸發 GitHub Actions,改成發佈才觸發的話,就會撞到發佈後不能變更附件的限制,所以要讓 CI/CD 負責建立草稿,再手動發佈。