Question: why use docker image from ghcr?

[ThijsBroersen]

I see an issue with the switch to this image because a tag or commit ref to this repo becomes less secure as this docker ref could be overwritten. Also forking this action (security practice for organisations) is not really useful as the action logic is still in remote code which can change without notice.

Is my observation correct?
I cannot find any security related pages about how to protect against unknown content in container jobs.

[wei]

Thanks for the feedback. The change was an effort to prevent creation of tons of docker images when used in self-hosted runners. #91

I agree with your point on security considerations and it looks like we can revert back to Dockerfile as the default and self-hosted users can reference the ghcr docker image directly when using the action.

How does this sound?

[ThijsBroersen]

Sounds good!

[ThijsBroersen]

Would using a sha as image tag/ref also work here? Then you could perhaps still use an immutable image.

[wei]

Yes, you can use sha256 to pin it for sure.

uses: docker://ghcr.io/repo-sync/pull-request:v2.9

or

uses: docker://ghcr.io/repo-sync/pull-request@sha256:cf4c56e7a11cb9eae670c2422d9ccb6fa87e34e2a7ceafe1270ad0be872c318e

[wei]

Added a section to README: Docker Container Image Usage