action: pin GitHub actions via SHA #54
Conversation
Alicipy
force-pushed
the
alicipy/pin-sha-for-actions
branch
from
73decee to
a47dde6
Compare
|
Guess if we do this we'd need a dependabot setup to update these too? |
|
cc @pdgendt |
|
That would be one solution, yes. On the other hand, this action does not change a lot anymore, as GitHub has other priorities right now, therefore I assume it is fine to manually update if necessary. |
Alicipy
changed the title
|
Good morning, is there anything else I can do or assist with to get this one merged? Would be happy to help with anything that is additionally necessary. |
|
Sorry forgot to follow up on this, what would be the process for updating these then? Manually check the tag and update tag and comment? I'd really like this to be more slipstreamed. |
|
Hey Fabio, no big deal, thanks for taking care of it! That would probably be the process if one does not want to use dependabot for that. I personally dislike using dependabot for GH actions, as security issues in new versions can lead to secret leakage with huge impacts; and dependabot makes it very tempting to 'merge without review' to get the PR closed. For the 'cache' action from GitHub, the action is not really updated regularly anymore, they don't even take contributions right now as they focus on other areas. For security related updates, GitHub scans actions and sends emails and notifications for the repository. My issue and reason for this PR is also not that the action-zephyr-setup itself is itself dangerous or vulnerable, but when using, I right now can't enforce pinned shasum versions in my repository, which is considered 'best practice' for GitHub actions currently. I hope that helps for finding decisions or ideas how to tackle it. Also, feel free to close the PR in case this is not an issue right now and leads to too much overhead. |
action.yml
Outdated
| - name: Cache Python packages | ||
| uses: actions/cache@v4 | ||
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0 |
There was a problem hiding this comment.
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0 | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 |
add a space after the #, that's how dependabot uses it, just for coherency
|
It's fine, let's go with this, it's just one action I'm probably overthinking it. Can you fix the format though? |
There were several issues with CI actions and moved tags on GitHub in the past, therefore a lot of repositories activated the function to enforce fulllength sha pins for actions. This also applies recursively, and this action does not pin used actions itself, making it not usable in a lot of other repos. To improve adoption and make the action also more deterministic, we pin the versions of used actions in this commit. Signed-off-by: Stefan Kraus <[email protected]>
Alicipy
force-pushed
the
alicipy/pin-sha-for-actions
branch
from
a47dde6 to
10b694f
Compare
|
Just did, good catch. In case the GH action gets more active again, or one sees other problems, feel free to revert or contact me for other contributions or support in maintaining this. |
|
@kartben can you take a look? |
4 participants
No description provided.