Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use full changeset hash for 3rd-party GitHub Actions #48

Merged
merged 4 commits into from
Jun 26, 2024
Merged

Use full changeset hash for 3rd-party GitHub Actions #48

merged 4 commits into from
Jun 26, 2024
+58 −3

Conversation

masutaka
Copy link
Member

@masutaka masutaka commented Jun 26, 2024
edited
Loading

変更内容

サードパーティの GitHub Actions のバージョンを Full Changeset Hash での固定に変更する。

- uses: owner/[email protected]
#
- uses: owner/action-name@26968a09c0ea4f3e233fdddbafd1166051a095f6 # v1.0.0

👈 の GitHub Actions について、変更した

Action name Verified creator Next action
actions/checkout Verified creator なので移行しない
actions/setup-java Verified creator なので移行しない
dorny/paths-filter 移行済なので何もしない
github/codeql-action/analyze1 Verified creator の明記はないが GitHub 製なので移行しない
github/codeql-action/autobuild1 Verified creator の明記はないが GitHub 製なので移行しない
github/codeql-action/init1 Verified creator の明記はないが GitHub 製なので移行しない
ls-lint/action2 移行した 👈
octokit/graphql-action Verified creator なので移行しない
reviewdog/action-actionlint 移行済なので何もしない
Songmu/tagpr 移行済なので何もしない
technote-space/assign-author 移行した 👈
tokorom/action-slack-incoming-webhook 移行した 👈

背景・目的

このリポジトリ https://github.com/route06/actions をよりセキュアにするため。

🔗 社内用GitHub Actionsのセキュリティガイドラインを公開します | メルカリエンジニアリング

サードパーティのActionを利用する場合、基本的にFull Changeset Hashに固定する。以下のようにFull Changeset Hashとバージョンコメントを記載することで、どのバージョンを使っているのかわかりやすくなる。

Dependabot は Full Changeset Hash に対応している3ため、Full Changeset Hash に変更するデメリットはサードパーティの GitHub Action を初めて導入する時だけ。

TODO

  • サードパーティの GitHub Actions のバージョン指定を full changeset hash に変更する
  • ADR の作成

関連情報

Footnotes

  1. GitHub Marketplace に公開されていない理由: https://github.com/github/codeql-action/issues/596#issuecomment-868569180 2 3

  2. GitHub Marketplace に公開されていない

  3. https://github.com/route06/actions/pull/46#discussion_r1650261916

masutaka
masutaka commented Jun 26, 2024
View reviewed changes
.github/workflows/add_assignee_to_pr.yml
@@ -25,4 +25,4 @@ jobs:
if: ${{ github.event.pull_request.user.type != 'Bot' && toJSON(github.event.pull_request.assignees) == '[]' }}

steps:
- uses: technote-space/assign-author@v1
- uses: technote-space/assign-author@9558557c5c4816f38bd06176fbc324ba14bb3160 # v1.6.2
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

差分なし technote-space/assign-author@v1...9558557

.github/workflows/my_test.yml
@@ -31,4 +31,4 @@ jobs:
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
- uses: ls-lint/[email protected]
- uses: ls-lint/action@1887e6c0e7f2dfa81a2d67591f0eb7782720026f # v2.2.3
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

差分なし ls-lint/action@v2.2.3...1887e6c

.github/workflows/notify_slack_on_ci_failed.yml
@@ -31,7 +31,7 @@ jobs:
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
run: echo "COMMIT_MESSAGE=$COMMIT_MESSAGE" | tr '\n' ' ' >> "$GITHUB_ENV"
- name: Notify to slack
uses: tokorom/action-slack-incoming-webhook@main
uses: tokorom/action-slack-incoming-webhook@d57bf1eb618f3dae9509afefa70d5774ad3d42bf # v1.3.0
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

差分なし tokorom/action-slack-incoming-webhook@main...d57bf1e

@masutaka masutaka marked this pull request as ready for review June 26, 2024 04:50
@masutaka masutaka requested a review from a team as a code owner June 26, 2024 04:50
@masutaka masutaka added the documentation Improvements or additions to documentation label Jun 26, 2024
MH4GF
MH4GF approved these changes Jun 26, 2024
View reviewed changes
Copy link
Contributor

@MH4GF MH4GF left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ADRも理解です、よさそうでした 🚀

@masutaka
Copy link
Member Author

ありがとうございます!🚀
リリースまでやりますね。

@masutaka masutaka added this pull request to the merge queue Jun 26, 2024
Merged via the queue into main with commit c8efc2b Jun 26, 2024
2 checks passed
@masutaka masutaka deleted the use-full-changeset-hash branch June 26, 2024 07:41
@github-actions github-actions bot mentioned this pull request Jun 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MH4GF MH4GF MH4GF approved these changes

Assignees

@masutaka masutaka

Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@masutaka @MH4GF