Turning on Immutable Releases #93
Description
Hey ✌️
we use your product and like it a lot 👍
Now to the issue. We had a recent Copilot review coment:
The `mint bootstrap -v --link --overwrite y` call in CI installs and
executes third-party CLI tools defined in `Mintfile` (e.g.
`mono0926/LicensePlist`, `ChargePoint/xcparse`) using only tag-based
version pins, without any checksum or signature verification. If one of
these upstream repositories is compromised or a tag is retargeted, a
malicious release could be pulled and run in your Codemagic environment
with access to CI secrets and the build workspace. To reduce
supply-chain risk, pin Mint dependencies to immutable identifiers
(commit SHAs or content hashes), or vendor and audit the tools you
execute in CI instead of pulling arbitrary code directly from GitHub on
each build.
What would solve this issue are immutable releases. I don't see any issue that would speak against turning this on. For my own open source projects I rather create a new release instead of modifying an old one.
WDYT?