Last 12 weeks · 1 commit
3 of 6 standards met
As part of hardening our github workflow, I have selected, Actions permissions, allow [OWNER], and select non-[OWNER] actions and reusable workflows. Allow actions by Marketplace verified creators. _Any action or reusable workflow that matches the specified criteria, plus those defined in a repository within [OWNER] can be used._ Learn more about allowing specific actions and reusable workflows to run. Because withastro/action@v6 is not a verified creator. See https://docs.github.com/en/apps/github-marketplace/github-marketplace-overview/applying-for-publisher-verification-for-your-organization I get the following error: [!WARNING] Error The action withastro/action@v6 is not allowed in [OWNER]/[REPOSITORY] because all actions must be from a repository owned by [OWNER], created by GitHub, or verified in the GitHub Marketplace. https://github.com/marketplace/actions/astro-deploy The requirements are: 1. Two factor authentication 2. A valid email for github to communicate to 3. A verified domain and ensure that a "Verified" badge displays on your organization's profile page. This is because I worry after the TanStack GitHub Actions cache poisoning hack. I'm no security expert, so I can not judge if this is efficient security hardening or needless complication.
In #88 we switched from https://github.com/actions/upload-pages-artifact to owning the code for uploading an artifact ourselves because v4 of that action had stopped including dotfiles (used for e.g. ) https://github.com/actions/upload-pages-artifact/pull/137 just added back the ability to include hidden files, so we can now switch back and avoid having to own all that extra code.
Repository: withastro/action. Description: A GitHub Action that deploys your Astro project to GitHub Pages Stars: 254, Forks: 56. Latest release: v6.1.1 (2mo ago). Open PRs: 3, open issues: 5. Last activity: 2mo ago. Community health: 62%. Top contributors: natemoo-re, delucis, colinhacks, Princesseuh, ThatXliner, ollecoffee, adrianmg, deining, swift502, torn4dom4n and others.