Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing lib build products #168

Closed
jtbandes opened this issue Apr 24, 2024 · 6 comments
Closed

Missing lib build products #168

jtbandes opened this issue Apr 24, 2024 · 6 comments

Comments

@jtbandes
Copy link

jtbandes commented Apr 24, 2024

We used to pin this workflow by SHA, e.g.

- uses: mislav/bump-homebrew-formula-action@b3327118b2153c82da63fd9cbf58942146ee99f0

This pinning technique is recommended in https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

However, eventually as we bumped the version to latest main (with the help of Dependabot), we started encountering this error:

Error: File not found: '/home/runner/work/_actions/mislav/bump-homebrew-formula-action/868bf7871f81dda58cc50fe1d17ea83ae1f3f929/./lib/index.js'

It seems like this is because lib is not committed to the repo. It is present in the v3 branch, but not on main. Would it be possible to keep this present and up to date? This seems to be what other actions do, e.g.: https://github.com/actions/checkout/tree/main/dist

@mislav
Copy link
Owner

mislav commented Aug 27, 2024

Hi, sorry for late reply, but you discovered already that this project only commits lib products in the v3 branch (and any past and future v* versioned branch), so if you need to pin to a certain commit SHA, you can use the commit from the v3 branch and not from main.

My rationale is that main is where the development happens and I don't think it's prudent to commit generated files in a development branch, even if other Actions repositories commonly do that. I personally think that various Actions projects commit too much and too often into the main branch, so I try to avoid that.

@mislav mislav closed this as completed Aug 27, 2024
@mislav mislav closed this as not planned Won't fix, can't repro, duplicate, stale Aug 27, 2024
@jtbandes
Copy link
Author

Thanks for the reply. It’s been a while since I looked at this, but iirc dependabot does not know which branch to use when bumping a sha-based dependency. So if the build products are not committed on main, dependabot will always try to bump to a broken version of the dependency :(

@jtbandes
Copy link
Author

Example bump PR from dependabot: foxglove/mcap#1140

(Also, in this particular case we've stopped using this action since Homebrew upstream is auto-bumping the formula for us)

@mislav
Copy link
Owner

mislav commented Aug 28, 2024

It’s been a while since I looked at this, but iirc dependabot does not know which branch to use when bumping a sha-based dependency.

Ah that's unfortunate. I can see how it's a big problem if you pin to a valid SHA from the v3 branch but later Dependabot suggests "upgrading" to the latest SHA of the main branch, essentially breaking the action setup.

I'm not sure exactly how Dependabot approaches upgrading pinned Actions, but I seem to recall that there is a syntax in the comments such as:

- uses: mislav/bump-homebrew-formula-action@b3327118b2153c82da63fd9cbf58942146ee99f0 # v3.1

Now, in theory, Dependabot should understand that you've pinned to a tagged release, and will only try to upgrade to other tagged releases. (Tagged releases in this repository are guaranteed to have build products checked in.)

I understand that you're not using this Action anymore, but this could help other people in the meantime. For the sake of ease of using Dependabot, I will consider checking in build products to main in the future, since I believe security is important and pinning Actions seems to be more widespread practice.

@jtbandes
Copy link
Author

I do see that versions in comments will be parsed & updated (https://github.blog/changelog/2022-10-31-dependabot-now-updates-comments-in-github-actions-workflows-referencing-action-versions/ / dependabot/dependabot-core#5951). I'm not sure if this will actually impact which branch it uses to choose the new SHA, or if it's just updating the comment to match whatever SHA it chooses...

@jtbandes
Copy link
Author

I guess another approach could be to change the default branch to v3, assuming dependabot might be using the default branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants
@mislav @jtbandes and others