release-plz sits at a sensitive location: It has access to out publish pipeline, and it has write access to the archives before upload. To harden our release pipelines, we hash-pin all github actions and their binaries to ensure the integrity of tooling releases. The release-plz/action supports pinning the version of release-plz, but doesn't seem to have a way of pinning the archive hashes of the binary.
Would it be possible to add hashes, either by storing them in the repo (with the default version update) or by allowing the user to set a hash?
release-plz sits at a sensitive location: It has access to out publish pipeline, and it has write access to the archives before upload. To harden our release pipelines, we hash-pin all github actions and their binaries to ensure the integrity of tooling releases. The
release-plz/actionsupports pinning the version of release-plz, but doesn't seem to have a way of pinning the archive hashes of the binary.Would it be possible to add hashes, either by storing them in the repo (with the default version update) or by allowing the user to set a hash?