I noticed the `example python` project has a `get pants sh` Pants #general

I noticed the `example-python` project has a `get-...

quiet-army-59227

06/24/2024, 10:03 PM

I noticed the

example-python

project has a

get-pants.sh

file checked-in. It is recommended to have that checked in to run in CI?

broad-processor-92400

06/24/2024, 11:43 PM

Yep, see https://www.pantsbuild.org/2.21/docs/getting-started/installing-pants for discussion of why:

For security reasons, we don't recommend frequently curling this script directly to
bash
, e.g., on every CI run. If the script were compromised during some time window, you'd be more likely to download it during that window and be impacted. Instead, for regular use, we recommend checking this script into the root of your repo and pointing users and CI machines to that checked-in version. The script is very simple and need not be updated very often.

wide-midnight-78598

06/25/2024, 3:49 AM

I feel like our CI recommendations aren't cohesive. In

example-python

we use the github actions, which will use the local script, or grab a specific SHA's

get-pants.sh

But, in our action, we're never pulling the current script from a URL, per se, anyways - it's a known good commit. And if we're that concerned about CI security to the distrust of github commits it feels like we should enforce a SHA in the curl command in our action (at least), or even vendor the script itself in the action

Copy code

if ! command -v pants; then
          if [[ -f ./get-pants.sh ]]; then
            ./get-pants.sh
          else
            curl --proto '=https' --tlsv1.2 -fsSLo ${{ runner.temp }}/get-pants.sh \
              <https://raw.githubusercontent.com/pantsbuild/setup/${{> inputs.setup-commit }}/get-pants.sh
            chmod +x ${{ runner.temp }}/get-pants.sh
            ${{ runner.temp }}/get-pants.sh
          fi
          # add 'pants' is on the PATH for subsequent actions.
          if [[ -f "$HOME/bin/pants" ]]; then
            # The repo might have a copy of an older get-pants.sh
            echo "$HOME/bin" >> $GITHUB_PATH
          else
            echo "$HOME/.local/bin" >> $GITHUB_PATH
          fi
        fi

wide-midnight-78598

06/25/2024, 3:54 AM

To be clear, I agree with not curling often from:

Copy code

<https://static.pantsbuild.org/setup/get-pants.sh>

because that adds another indirection to downloading the script, I'd rather that curl command point directly to github releases, or raw.github ... with a commit sha

proud-dentist-22844

06/25/2024, 3:06 PM

So maybe our getting started doc can mention that we've optimized the security when using the GitHub action? Also, I prefer to direct people to

get-pants.sh

that I have already checked into the repo. Maybe we need a getting started doc for repos that are already running pants? Something to onboard new people without going through the full tutorial?

wide-midnight-78598

06/25/2024, 3:10 PM

optimized the security

Not my preferred terminology 😆 Not suggesting this slack thread is the best place for this discussion, even though I kicked it off - maybe a GH discussion?

🤷‍♂️ 1

👍 1

6 Views

Open in Slack

Previous Next