Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🌱 Pin actions to a full length commit SHA #6341

Closed
wants to merge 3 commits into from
Closed

🌱 Pin actions to a full length commit SHA #6341

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
be15876
Included comments
naveensrinivasan Mar 28, 2022
2f32715
Pin actions to a full length commit SHA
naveensrinivasan Mar 27, 2022
36ab94f
Merge branch 'main' into naveen/feat/pin-deps
naveensrinivasan Apr 3, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:
run: make generate-modules
- name: Update generated code
run: make generate
- uses: EndBug/add-and-commit@v9
- uses: EndBug/add-and-commit@8c12ff729a98cfbcd3fe38b49f55eceb98a5ec02 # v7 https://api.github.com/repos/EndBug/add-and-commit/git/commits/8c12ff729a98cfbcd3fe38b49f55eceb98a5ec02
Copy link
Member

@sbueringer sbueringer Mar 29, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@naveensrinivasan My bad. I missed that they actually have a v7 and a v7.0.0 tag in this repo. That's why I though it is not just the commit id of the repo.

Do you know if dependabot will update the comment including the tag and the URL automatically?

Anyway for me it would be fine to drop the URL. I just didn't know / misread that it's directly a commit ID on the repo. I thought it might be a sha of a published "action artifact" or something.

Copy link
Member

@sbueringer sbueringer Mar 29, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we keep the URL, can you please link to those URLs instead: https://github.com/EndBug/add-and-commit/releases/tag/v7

This way the tag can be directly mapped to the commit id

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TBH I use the API to get the URL. Sorry, As of now I can do this.

name: Commit changes
with:
author_name: dependabot[bot]
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/golangci-lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
steps:
- uses: actions/checkout@v3
- name: golangci-lint
uses: golangci/golangci-lint-action@v2
uses: golangci/golangci-lint-action@5c56cd6c9dc07901af25baab6f2b0d9f3b7c3018 # v2 https://api.github.com/repos/golangci/golangci-lint-action/git/commits/5c56cd6c9dc07901af25baab6f2b0d9f3b7c3018
with:
version: v1.45.2
working-directory: ${{matrix.working-directory}}
6 changes: 3 additions & 3 deletions .github/workflows/lint-docs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@ jobs:
name: Broken Links
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: gaurav-nelson/github-action-markdown-link-check@v1
- uses: actions/checkout@master
- uses: gaurav-nelson/github-action-markdown-link-check@9710f0fec812ce0a3b98bef4c9d842fc1f39d976 # v1 https://api.github.com/repos/gaurav-nelson/github-action-markdown-link-check/git/commits/9710f0fec812ce0a3b98bef4c9d842fc1f39d976
with:
use-quiet-mode: 'yes'
config-file: .markdownlinkcheck.json
config-file: .markdownlinkcheck.json
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:
run: |
make release-notes
- name: Release
uses: softprops/action-gh-release@v1
uses: softprops/action-gh-release@4716bde57e0fcda6ce83002e2469b8a90e560573 # v1 https://api.github.com/repos/softprops/action-gh-release/git/tags/4716bde57e0fcda6ce83002e2469b8a90e560573
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

v1 seems to be:
https://github.com/softprops/action-gh-release/releases/tag/v1 => 1e07f4398721186383de40550babbdf2b84acfc5

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't find 4716bde57e0fcda6ce83002e2469b8a90e560573

Copy link
Contributor

@killianmuldoon killianmuldoon Mar 29, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

API endpoint (from above) seems to point to the same release commit commit if I'm reading the api endpoint right:
softprops/action-gh-release@1e07f43

I'm not sure why the shas are different though, but I guess it's the tag i.e. https://docs.github.com/en/rest/reference/git#tags

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't find 4716bde57e0fcda6ce83002e2469b8a90e560573

Have you had a chance to look at this URL https://api.github.com/repos/softprops/action-gh-release/git/tags/4716bde57e0fcda6ce83002e2469b8a90e560573 ?

Copy link
Member

@sbueringer sbueringer Mar 29, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm maybe some GitHub issue. The URL didn't work for me a few hours before.

But v1 is definitely not pointing to this commit: https://github.com/softprops/action-gh-release/releases/tag/v1

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wrote something up https://gist.github.com/naveensrinivasan/ca008c07279176acce28969fb77d056f hope this helps.

Copy link
Member

@sbueringer sbueringer Apr 4, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay got the API query issue. But couldn't we just use the commit id linked at the release in the GitHub UI?
=> https://github.com/softprops/action-gh-release/releases/tag/v1 (softprops/action-gh-release@1e07f43)

Copy link
Member

@sbueringer sbueringer Apr 4, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But I think the most important question is, what would dependabot do?

Does it update to the latest release or the latest tag and which sha would it use then?

And also would it update the URL comment, because I prefer not adding the URL if we would have to update it manually after each dependabot PR to bump actions

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It wouldn't add the URL. The dependabot would update to the latest tag instead of the version.

Copy link
Member

@sbueringer sbueringer Apr 4, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It wouldn't add the URL

Okay then let's drop the URLs

Would it update the comment with the tag behind the sha?

update to the latest tag instead of the version

To clarify, the latest tag instead of the latest release? (or what do you mean with version?)

with:
draft: true
files: out/*
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/update-homebrew-formula-on-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ jobs:
runs-on: macos-latest
steps:
- name: Update Homebrew formula
uses: dawidd6/action-homebrew-bump-formula@v3
uses: dawidd6/action-homebrew-bump-formula@dd221ff435f42fa8102b5871bb1929af9d76476c # v3 https://api.github.com/repos/dawidd6/action-homebrew-bump-formula/git/commits/dd221ff435f42fa8102b5871bb1929af9d76476c
with:
token: ${{secrets.HOMEBREW_UPDATE_TOKEN}}
formula: clusterctl
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/verify.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,6 @@ jobs:
steps:
- name: Verifier action
id: verifier
uses: kubernetes-sigs/[email protected]
uses: kubernetes-sigs/kubebuilder-release-tools@4777888c377a26956f1831d5b9207eea1fa3bf29 # v0.1 https://api.github.com/repos/kubernetes-sigs/kubebuilder-release-tools/git/commits/4777888c377a26956f1831d5b9207eea1fa3bf29
with:
github_token: ${{ secrets.GITHUB_TOKEN }}