go/task
1
0
Fork 0
mirror of https://github.com/go-task/task.git synced 2025-11-23 22:24:45 +02:00
Code Issues Releases Activity

feat: checksum pinning (#2223)

Browse Source
This commit is contained in:
Pete Davison
2025-05-24 14:00:02 +01:00
committed by GitHub
parent 68ce8b1d84
commit 71eb8cdeea
17 changed files with 196 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
website/docs/experiments/remote_taskfiles.mdx
View File

@@ -182,9 +182,11 @@ includes:
## Security
### Automatic checksums
Running commands from sources that you do not control is always a potential
security risk. For this reason, we have added some checks when using remote
Taskfiles:
security risk. For this reason, we have added some automatic checks when using
remote Taskfiles:
1. When running a task from a remote Taskfile for the first time, Task will
print a warning to the console asking you to check that you are sure that you
@@ -209,6 +211,38 @@ flag. Before enabling this flag, you should:
containing a commit hash) to prevent Task from automatically accepting a
prompt that says a remote Taskfile has changed.
### Manual checksum pinning
Alternatively, if you expect the contents of your remote files to be a constant
value, you can pin the checksum of the included file instead:
```yaml
version: '3'
includes:
included:
taskfile: https://taskfile.dev
checksum: c153e97e0b3a998a7ed2e61064c6ddaddd0de0c525feefd6bba8569827d8efe9
```
This will disable the automatic checksum prompts discussed above. However, if
the checksums do not match, Task will exit immediately with an error. When
setting this up for the first time, you may not know the correct value of the
checksum. There are a couple of ways you can obtain this:
1. Add the include normally without the `checksum` key. The first time you run
the included Taskfile, a `.task/remote` temporary directory is created. Find
the correct set of files for your included Taskfile and open the file that
ends with `.checksum`. You can copy the contents of this file and paste it
into the `checksum` key of your include. This method is safest as it allows
you to inspect the downloaded Taskfile before you pin it.
2. Alternatively, add the include with a temporary random value in the
`checksum` key. When you try to run the Taskfile, you will get an error that
will report the incorrect expected checksum and the actual checksum. You can
copy the actual checksum and replace your temporary random value.
### TLS
Task currently supports both `http` and `https` URLs. However, the `http`
requests will not execute by default unless you run the task with the
`--insecure` flag. This is to protect you from accidentally running a remote

1
website/docs/reference/schema.mdx
View File

@@ -34,6 +34,7 @@ toc_max_heading_level: 5
| `internal` | `bool` | `false` | Stops any task in the included Taskfile from being callable on the command line. These commands will also be omitted from the output when used with `--list`. |
| `aliases` | `[]string` | | Alternative names for the namespace of the included Taskfile. |
| `vars` | `map[string]Variable` | | A set of variables to apply to the included Taskfile. |
| `checksum` | `string` | | The checksum of the file you expect to include. If the checksum does not match, the file will not be included. |
:::info

4
website/static/next-schema.json
View File

@@ -684,6 +684,10 @@
"vars": {
"description": "A set of variables to apply to the included Taskfile.",
"$ref": "#/definitions/vars"
},
"checksum": {
"description": "The checksum of the file you expect to include. If the checksum does not match, the file will not be included.",
"type": "string"
}
}
}