GitHub Actions' VM image doesn't match published source code
a day ago
- #SBOM
- #GitHub Actions
- #Reproducible Builds
- A GitHub Actions pipeline failed due to an error with `hashFiles('**/Cargo.lock')`.
- The issue appears to be a regression, with multiple reports from 2025 linking to GitHub discussions and runner issues.
- A comment highlighted a discrepancy between the file in the repository and the one used in the runner, suggesting manual edits.
- Comparison of different versions of the runner's JavaScript file showed inconsistencies, including BOM insertion and log redaction.
- The incident raises concerns about the transparency of GitHub Actions' build environment and the accuracy of SBOMs (Software Bill of Materials).
- Debian and Arch Linux's approach to documenting build environments is cited as a more transparent alternative.