Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for version comments? #167

Closed
woodruffw opened this issue Jun 28, 2024 · 3 comments
Closed

Support for version comments? #167

woodruffw opened this issue Jun 28, 2024 · 3 comments

Comments

@woodruffw
Copy link

Please describe the enhancement

First of all, thanks for this tool! I've been looking for something exactly like this.

frizbee overlaps nicely with CI-side workflow updaters, like Dependabot. Dependabot supports version comments next to each hash-pinned workflow per dependabot/dependabot-core#4691, like so:

uses: example/example@longhash # v1.2.3

When Dependabot bumps longhash, it also rewrites the version comment to match the git tag for the new hash:

uses: example/example@newhash # v1.2.4

It would be awesome if frizbee could generate these version comments, so that Dependabot (et al.) could use them.

Solution Proposal

My proposal: frizbee actions ... should support generating a version comment next to each workflow reference that it transformed into a fully hashed reference.

Example input:

uses: example/[email protected]

Example output, with this new feature:

uses: example/example@longhash # v1.2.3

This would be a behavioral change from the current default, so it might make sense to keep it behind a --add-version-comments (or similar) option.

Describe alternatives you've considered

The main alternative is to do nothing 🙂 -- Dependabot and other tools work fine without the comment; it's mostly there for human comprehension.

Additional context

As mentioned above, dependabot/dependabot-core#4691 is the original Dependabot tracker for this feature.

This version comment idiom also appears in OpenSSF's Scorecard and elsewhere.

Acceptance Criteria

frizbee actions adds version comments while hash-pinning workflows!
@woodruffw
Copy link
Author

NB: This requires editing YAML comments, which is a significant pain. So I understand not wanting to undertake implementing this, especially since it constrains the tool's ability to round-trip through a normal YAML parser 🙂

@rdimitrov
Copy link
Member

hey @woodruffw, thanks for reaching out and happy to hear you find frizbee useful! 🚀 😃

Can you share more details about which version of Frizbee you are using and if possible an example workflow file which we can use to reproduce this?

Asking this because frizbee should already support it (link to the unit test - replacer_test.go), but it's possible that you have hit some bug 😃

@woodruffw
Copy link
Author

Whoops, I somehow completely missed this. I just tried frizbee actions again and it did indeed insert the comments I expected.

Sorry for the noise here, and thanks again for the fantastic tool!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@woodruffw @rdimitrov