Summary
The `setup-mysql` composite action downloads two Ubuntu `.deb` packages — `libaio1` and `libtinfo5` — from `http://archive.ubuntu.com\` over plain HTTP. `archive.ubuntu.com` supports HTTPS, so we may as well use it.
This is a hygiene / consistency cleanup, not a security fix. The practical threat model is thin: GitHub-hosted runners route this traffic through GitHub/Azure infrastructure, and an attacker with enough access to MITM that path doesn't need to swap a `.deb` to compromise a job. The change is still worth making because there's no reason to use plain HTTP when HTTPS is available.
Flagged by Copilot on #20196.
Where
`main`, `release-24.0`, `release-23.0` — one file:
- `.github/actions/setup-mysql/action.yml` — two URLs:
`release-22.0` — same file, same URLs. `release-22.0` is EOL, so this is a lower-priority cleanup.
`release-21.0`, `release-20.0` — these branches predate `setup-mysql/action.yml`; the same two URLs are inlined into the templates under `test/templates/` and the corresponding generated workflows. Editing the templates and regenerating is the right path on those branches. Both branches are EOL, so this is also lower priority.
Proposed fix
Change `http://` to `https://` on those two URLs, in `setup-mysql` on the supported branches and in the templates on the older branches.
While we're touching these lines, we should also verify a SHA256 checksum on each `.deb` before `dpkg -i`. That's a separable cleanup but a natural one to bundle: the URLs reference fixed point releases (`libaio1_0.3.112-13build1`, `libtinfo5_6.3-2ubuntu0.1`), so a pinned checksum has no downside, and it gives us something HTTPS doesn't — protection against `archive.ubuntu.com` itself rotating the file under us (which would just break CI), and against compromise of the archive itself.
Summary
The `setup-mysql` composite action downloads two Ubuntu `.deb` packages — `libaio1` and `libtinfo5` — from `http://archive.ubuntu.com\` over plain HTTP. `archive.ubuntu.com` supports HTTPS, so we may as well use it.
This is a hygiene / consistency cleanup, not a security fix. The practical threat model is thin: GitHub-hosted runners route this traffic through GitHub/Azure infrastructure, and an attacker with enough access to MITM that path doesn't need to swap a `.deb` to compromise a job. The change is still worth making because there's no reason to use plain HTTP when HTTPS is available.
Flagged by Copilot on #20196.
Where
`main`, `release-24.0`, `release-23.0` — one file:
`release-22.0` — same file, same URLs. `release-22.0` is EOL, so this is a lower-priority cleanup.
`release-21.0`, `release-20.0` — these branches predate `setup-mysql/action.yml`; the same two URLs are inlined into the templates under `test/templates/` and the corresponding generated workflows. Editing the templates and regenerating is the right path on those branches. Both branches are EOL, so this is also lower priority.
Proposed fix
Change `http://` to `https://` on those two URLs, in `setup-mysql` on the supported branches and in the templates on the older branches.
While we're touching these lines, we should also verify a SHA256 checksum on each `.deb` before `dpkg -i`. That's a separable cleanup but a natural one to bundle: the URLs reference fixed point releases (`libaio1_0.3.112-13build1`, `libtinfo5_6.3-2ubuntu0.1`), so a pinned checksum has no downside, and it gives us something HTTPS doesn't — protection against `archive.ubuntu.com` itself rotating the file under us (which would just break CI), and against compromise of the archive itself.