Hasty Briefsbeta

GitHub Actions' VM image doesn't match published source code

21 hours ago
https://lists.reproducible-builds.org/pipermail/rb-general/2025-November/003941.html
Copy Link
  • #SBOM
  • #GitHub Actions
  • #Reproducible Builds
  • A GitHub Actions pipeline failed due to an error with `hashFiles('**/Cargo.lock')`.
  • The issue appears to be a regression, with multiple reports from 2025 linking to GitHub discussions and runner issues.
  • A comment highlighted a discrepancy between the file in the repository and the one used in the runner, suggesting manual edits.
  • Comparison of different versions of the runner's JavaScript file showed inconsistencies, including BOM insertion and log redaction.
  • The incident raises concerns about the transparency of GitHub Actions' build environment and the accuracy of SBOMs (Software Bill of Materials).
  • Debian and Arch Linux's approach to documenting build environments is cited as a more transparent alternative.
AboutLogin