In bazelbuild/rules_pkg#716 (comment) there's a suggestion that rules need complexity in their release process in order to make them secure.
I believe we have already followed excellent security practices in the way releases are created here. By only allowing a developer with write access to push a tag, there's no way to create a release with contents that aren't reproducible from the sources.
I'd be very interested to know of any vulnerabilities with our approach, as there are now dozens of rulesets based on this template.
In bazelbuild/rules_pkg#716 (comment) there's a suggestion that rules need complexity in their release process in order to make them secure.
I believe we have already followed excellent security practices in the way releases are created here. By only allowing a developer with write access to push a tag, there's no way to create a release with contents that aren't reproducible from the sources.
I'd be very interested to know of any vulnerabilities with our approach, as there are now dozens of rulesets based on this template.