Why does it download ubuntu image from a weird repo?

[ryuukk]

workflow: https://github.com/ryuukk/zag/blob/no_error_pls/.github/workflows/zag_ci.yml

act
[zag_ci/x86_64-linux-release] 🚀  Start image=catthehacker/ubuntu:act-latest
[zag_ci/x86_64-linux-release]   🐳  docker pull image=catthehacker/ubuntu:act-latest platform= username= forcePull=true

Who tf is this person https://github.com/catthehacker/docker_images

What are the chances this is compromised? i bet it is

[Antvirf]

GitHub Actions runners do not run on plain Ubuntu, they have additional tooling installed. Therefore, a base Ubuntu Docker image wouldn't work.

GitHub only releases vm images of the GitHub Actions runner. Act uses Docker, so a custom container that replicates the functionality of the runner VMs has to be created. That's why it pulls from the repo you mention.

If you have security concerns, you are free to inspect and explore how these containers are built in the repo you mention, or build one yourself if you want. See this bit on alternative runner images.

[ryuukk]

This is very concerning, i'll drop this program and i will look for something less fishy

[ChristopherHX]

Selecting the small image in first time setup will pull node:sometag and you don't have to trust a random maintainer of nektos/act.

catthehacker/Ryan/R/pj was a major contributor / maintainer of nektos/act in 2020/21.

Maintainer of this repo are unable to create repositories in nektos org, so it tend to be eaier to use a custom GitHub account.

i'll drop this program and i will look for something less fishy

Do whatever you want.

What are the chances this is compromised? i bet it is

I don't think so. However don't trust me, I'm a collabator with push access to the git repo (less restricted than nektos/act).

[catthehacker]

Who tf is this person catthehacker/docker_images

it is me, "who tf" are you?

What are the chances this is compromised?

None, you can see whole repo history and who made which commits.
Since sometime ago, I've added @ChristopherHX to repo maintainers as I don't have any time to maintain it anymore.

i bet it is

This is very concerning, i'll drop this program and i will look for something less fishy

With what you shown in this discussion is that you have barely any understanding of security and that you have no idea what act is/how it works (or maybe you didn't bother to read the readme).
Good luck with finding something else anyway.

[ryuukk]

i do understand security better than both Microsoft and the CIA dogs https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr