rasterstate/sccache-action
2
0
Fork 0
Code Issues 5 Pull requests Releases 1 Activity Actions

Pin sccache by SHA-256 digest instead of release tag #6

New issue
Open
opened 2026-05-28 02:56:25 +00:00 by stephen · 0 comments
stephen commented 2026-05-28 02:56:25 +00:00
Owner
Copy link

Today the action fetches by release tag and trusts the sidecar digest fetched alongside it. For maximum reproducibility, allow the caller to pass a known digest that must match, removing trust in the sidecar being fetched at run time.

Add an optional input (e.g. sha256) that, when set, is compared against the downloaded tarball instead of (or in addition to) the fetched sidecar. Fail closed on mismatch.

Tracked in SECURITY.md under "What is not done yet".

Today the action fetches by release tag and trusts the sidecar digest fetched alongside it. For maximum reproducibility, allow the caller to pass a known digest that must match, removing trust in the sidecar being fetched at run time. Add an optional input (e.g. `sha256`) that, when set, is compared against the downloaded tarball instead of (or in addition to) the fetched sidecar. Fail closed on mismatch. Tracked in SECURITY.md under "What is not done yet".
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
v1
v1.1.2
v1.1.1
v1.1.0
v1.0.0
Labels
Clear labels   
blocked:upstream
Waiting on upstream sccache

  
ci
Test workflow / runners

  
docs
Documentation

  
enhancement
New feature or input

  
security
Supply-chain / verification

No labels
blocked:upstream
ci
docs
enhancement
security
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
rasterstate/sccache-action#6
No description provided.