Pin workflow wsl2.yml

[HackingRepo]

Pinning the workflow wsl2.yml part of the Supply Chain Security Tracking Issue, #12905

note the wsl setup workflow the pinning matches the exact v6.1.0

[sylvestre]

Why is that better than the version?

[HackingRepo]

no that is the same version, v6.1.0 just the commit hash pinned

[HackingRepo]

@sylvestre, if you not trust me see Vampire/setup-wsl@887f39d, it is the same version for the workflow, do'nt worry

[oech3]

We absolutely believe this action and always bump when new version was released. So using commit hash does not improve anything.

[HackingRepo]

but if those actions compromised, what will say? that is the problem of using @v6.1.0 instead of a commit hash because unpinned, @v6.1.0 are mutable, but a commit hash can never change, do'nt worry dependabot will bump the commit hash, if there a good release @oech3, if new action version released dependabot will issue an update and update the commit hash

[oech3]

if those actions compromised, we install it at next update using commit hash.

[HackingRepo]

the risk is the Vampire just a maintener user, not a tech giant or an organization at least, mainteners are a very high target and if just the action compromised attackers will push malware and then will progogate to uutils.

[HackingRepo]

when a workflow compromised it is instantly wil trigger malicious code in uutils, please understand @oech3, if you do'nt understand how supply chain attack works, do'nt try to comment in the pr, view and there tons of issues open and fix them

[oech3]

So do you say that we have deadline to notice new malicious version before merging dependa bot's PR.

[github-actions]

GNU testsuite comparison:

Skipping an intermittent issue tests/date/date-locale-hour (passes in this run but fails in the 'main' branch)
Skipping an intermittent issue tests/tail/retry (passes in this run but fails in the 'main' branch)
Skipping an intermittent issue tests/tail/symlink (passes in this run but fails in the 'main' branch)
Congrats! The gnu test tests/rm/many-dir-entries-vs-OOM is now passing!

[HackingRepo]

yes when using commit hashes, there a immutable until you merge dependabot update which change the commit hash with the new one, but when uisng a tag like v6.1.0 an attacker can point it to a malicious commit and endup malware even you not touch dependabot updates

[oech3]

Personally, wsl/devcontainer CI is not useful since it uses exactly same Ubuntu version with GitHub (no newer glibc).
I suggest to just drop them if they are not reliable.

[codspeed-hq]

Merging this PR will improve performance by 3.38%

⚠️ Different runtime environments detected

Some benchmarks with significant performance changes were compared across different runtime environments,
which may affect the accuracy of the results.

Open the report in CodSpeed to investigate

⚡ 1 improved benchmark
✅ 322 untouched benchmarks
⏩ 46 skipped benchmarks¹

Performance Changes

	Mode	Benchmark	BASE	HEAD	Efficiency
⚡	Simulation	du_all_wide_tree[(5000, 500)]	16.7 ms	16.1 ms	+3.38%

Tip

Curious why this is faster? Comment @codspeedbot explain why this is faster on this PR, or directly use the CodSpeed MCP with your agent.

---

_{Comparing HackingRepo:patch-1 (b75ccbb) with main (5de3062)²}

Footnotes

1. 46 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

2. No successful run was found on main (a037a0c) during the generation of this report, so 5de3062 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩