Replies: 2 comments 4 replies
-
Presumably this would already prevent modifications during the automation. We need to keep in mind that for https://github.com/git-for-windows/git |
Beta Was this translation helpful? Give feedback.
-
|
Right, but we create it in draft mode, and the official guidance is to create a draft release, then attach all assets, then publish, i.e. exactly what we do. (You cannot create a release via REST API with assets, the asset uploading is always a separate step, so they have to support this scenario, and they do, via draft releases.) |
Beta Was this translation helpful? Give feedback.
-
Here, we call Side note: The best practice these days seems to be to convert the positional parameters to an object with named parameters, that would make this clearer, I guess. |
Beta Was this translation helpful? Give feedback.
-
|
I guess making the draft immutable would defeat the purpose of a draft. We do convert from draft to non-draft in the first update though and then update again to create a discussion. That probably continues to work, but we should test that. |
Beta Was this translation helpful? Give feedback.
-
|
That's a good point! We likely need to revert git-for-windows/git-for-windows-automation@b59f512. |
Beta Was this translation helpful? Give feedback.
-
|
I'll just give an extra 👍 to making the actions be immutable releases, too. That plugs a big security hole whenever you refer to an action by tag and not commit hash. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
As per https://github.blog/changelog/2025-10-28-immutable-releases-are-now-generally-available/, there is now an option to opt into immutable releases. This would provide a little bit of confidence in Git for Windows, as releases could not be tampered with after being released by the automation.
Does anyone see any downside?
Side note: We cannot do this org-wide because https://github.com/git-for-windows/git-sdk-64/releases/tag/ci-artifacts needs to stay a "rolling release", i.e. it will be modified frequently, intentionally so. But we could consider opting other repositories into immutable releases, e.g. the Actions (like
setup-git-for-windows-sdk) or https://github.com/git-for-windows/pacman-repo or https://github.com/git-for-windows/git-snapshots.I am looking in particular for feedback from my friendly co-maintainers, @rimrul and @mjcheetham.
Beta Was this translation helpful? Give feedback.
All reactions