Pin GH actions #3727
Pin GH actions #3727
Conversation
marcofranssen
requested review from
evan2645,
amartinezfayo,
azdagron,
MarcosDY and
rturner3
as code owners
marcofranssen
force-pushed
the
pin-gh-actions
branch
2 times, most recently
from
e9a4264 to
11d797a
Compare
|
Thanks for opening this @marcofranssen ❤️ I opened an issue related to this, but it definitely seems like a welcome change. We discussed this on a previous contributor call, and one thing we wondered is if it is possible to define these versions and hashes at the top of each worfklow, as a set of variables ... there are many places that we use the same action in each workflow and consolidating the versions might make it easier to manage ... but only if it works (😂) and if dependabot would still update them (unsure...). Let me know what you think .. thanks again! |
|
Dependabot will manage it for you. It only works if it is inline. As soon it moves to environment variable you are on your own. Every time a new version is found dependabot will open a pr that updates the comment and shasum. Then it is up to reviewer to check release notes in pr description, check that build succeeds etc. You could even make a workflow that auto approves dependabot PRs if it meets certain criteria. So basically automate the review process by looking up the commit hash and compare it with the version tag etc etc. And then automate the merge as well if everything matches up. |
|
Ok .. I think this is ready to go, but there are a couple conflicts that look related to recent code signing changes. Mind having a look and then we can get this merged? |
|
Sure will do tomorrow. |
|
Hey @marcofranssen , gentle ping on this, it's ready to go aside from the conflicts |
|
Let me check this conflicts first thing tomorrow |
|
Thank you!! ❤️ |
Dependabot is also capable of pinning to future tag releases and will maintain the comment that descibes the shasum. dependabot/dependabot-core#4691 Signed-off-by: Marco Franssen <[email protected]>
marcofranssen
force-pushed
the
pin-gh-actions
branch
from
11d797a to
28e22c9
Compare
Dependabot is also capable of pinning to future tag releases and will maintain the comment that descibes the shasum. dependabot/dependabot-core#4691 Signed-off-by: Marco Franssen <[email protected]> Co-authored-by: Evan Gilman <[email protected]>
Dependabot is also capable of pinning to future tag releases
and will maintain the comment that describes the shasum.
dependabot/dependabot-core#4691
This will ensure you always use the action at the commit when a version bump takes place. Even if someone overwrites the tag with a new (malicious) tag.
Pull Request check list
Affected functionality
Description of change
Which issue this PR fixes