Open
Conversation
As of git-for-windows/git-sdk-64#113, git-for-windows/git-sdk-arm64#56 and git-for-windows/git-sdk-32#55, the `ci-artifacts` releases of the git-sdk-* repositories now provide pre-built `build-installers` artifacts as `.tar.zst` files (e.g. `git-sdk-x86_64-build-installers.tar.zst`). Downloading and extracting these is substantially faster than the previous approach of cloning the repository and running `please.sh create-sdk-artifact`. The built-in `tar.exe` on Windows Server 2025 and Windows 11 24H2 (OS build 26100 and later) supports Zstandard decompression natively via libarchive (which is the reason why above-mentioned PRs use that format to publish the `build-installers` artifact). Older runner images such as `windows-2022` (build 20348) lack this support, so we detect the OS build number at runtime and fall back to the existing `getViaGit` code path when Zstandard extraction would fail. The `getViaCIArtifacts` function now accepts a `flavor` parameter so both `minimal` (which continues to use `.tar.gz`) and `build-installers` (which uses `.tar.zst`) can be served from the same code path with hardcoded, per-flavor asset names that match the actual release assets. Assisted-by: Claude Opus 4.6 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
GitHub Actions caches are shared across branches and workflows within a repository. This is an architectural property of the caching system that makes it inherently susceptible to cache-poisoning attacks: a low-privileged workflow (or a workflow triggered by a pull request from a fork via `on: pull_request_target`, a splendid footgun) can write malicious content into a cache entry, which a higher-privileged workflow on the default branch may later restore and execute. This attack surface has been demonstrated in practice by tools such as Cacheract (https://github.com/AdnaneKhan/Cacheract) and documented extensively in "The Monsters in Your Build Cache" (https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/). The OpenSSF has also flagged this vector in their guidance on mitigating attack vectors in GitHub workflows (https://openssf.org/blog/2024/08/12/mitigating-attack-vectors-in-github-workflows/). Now that not only the `minimal` but also the `build-installers` flavor (which were previously cached by default) are downloaded from the `ci-artifacts` release instead of being built from scratch every single time, the performance impact of this change is expected to be negligible. Given that the trust boundary between cache writers and cache readers is not well-defined, the safest default is to not use caching at all. Users who have evaluated the trade-off for their specific threat model can still opt in explicitly with `cache: true` or `cache: auto`. Assisted-by: Claude Opus 4.6 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GitHub Actions caches are shared across branches and workflows within a repository, which makes them susceptible to cache-poisoning attacks. This has been demonstrated in practice by tools such as Cacheract and documented in "The Monsters in Your Build Cache". The trust boundary between cache writers and cache readers is not well-defined, so the safest default is to not cache at all. Users who have evaluated the trade-off for their threat model can still opt in with
cache: trueorcache: auto.To alleviate the performance impact this would mean for the
build-installersflavor, we changed the git-sdk-*ci-artifactsworkflows to provide pre-built.tar.zstarchives. On runner images whosetar.exesupports Zstandard (Windows Server 2025 /windows-latest), thebuild-installersflavor is now served directly from these CI artifacts. Older images such aswindows-2022fall back to the existing git-clone-and-build approach.