Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BUG: Pinned-Dependencies need ability to exclude non-build/release workflows #4039

Closed
emaste opened this issue Apr 17, 2024 · 3 comments
Closed
Labels
kind/bug Something isn't working

Comments

@emaste
Copy link

emaste commented Apr 17, 2024

Describe the bug
A product may have workflows that are not part of its build or release process that have unpinned dependencies. This may be incidental or intentional. Some method is needed to indicate that these workflows are unrelated to build or release processes.

Reproduction steps

  1. Examine FreeBSD scorecard https://securityscorecards.dev/viewer/?uri=github.com/freebsd/freebsd-src
  2. Review workflow with unpinned dependency https://github.com/freebsd/freebsd-src/blob/main/.github/workflows/cross-bootstrap-tools.yml
  3. Observe that unpinned dependencies here do not affect builds or releases

Expected behavior
Some method exists to have workflows indicate that they are not part of a build or release process.

Additional context
It is presumably unfeasible to automatically detect that a workflow is not part of a build or release process, and I suspect an explicit annotation is the only feasible way to accomplish this.

The workflow referenced above is used to test that FreeBSD can be cross-built from Linux and macOS environments obtained by installing the default versions of the build tools, and pinning them would partially defeat the purpose. The workflow builds a FreeBSD kernel using the installed environment but does not store or otherwise handle any built artifacts; the output is merely whether the build was successful or not.

@emaste emaste added the kind/bug Something isn't working label Apr 17, 2024
@spencerschrock
Copy link
Member

Some method exists to have workflows indicate that they are not part of a build or release process.

There are two approach to this: explicit and implicit.

  1. Explicitly, we have started a feature allowing repo maintainers to annotate this sort of thing. ( ⚠️ Add initial Maintainers Annotation parsing #3905)
  2. Implictly, I believe what you're requesting is the discussion at Feature: Allow unpinned in non-privileged workflows #2018

Looking at the workflow now, #2018 seems more applicable given the workflow has no privileged access

@emaste
Copy link
Author

emaste commented May 1, 2024

Thanks - #3905 can be used to solve this for us in the short term, and I believe that my request is equivalent to #2018 so I'll close this.

@emaste emaste closed this as completed May 1, 2024
@emaste emaste closed this as not planned Won't fix, can't repro, duplicate, stale May 1, 2024
@spencerschrock
Copy link
Member

I'll note #3905 is still experimental

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Something isn't working
Projects
Status: Done
Development

No branches or pull requests

2 participants