Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: pin github action versions #7826

Merged
merged 4 commits into from
Dec 13, 2024
Merged

ci: pin github action versions #7826

merged 4 commits into from
Dec 13, 2024

Conversation

Boshen
Copy link
Member

@Boshen Boshen commented Dec 13, 2024

No description provided.

@Boshen Graphite App
Copy link
Member Author

Boshen commented Dec 13, 2024

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

  • 0-merge - adds this PR to the back of the merge queue
  • hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

@codspeed-hq CodSpeed HQ
Copy link

codspeed-hq bot commented Dec 13, 2024
edited
Loading

CodSpeed Performance Report

Merging #7826 will not alter performance

Comparing 12-13-ci_fix_more_zizmore_warnings (d8c6d04) with main (befb0a5)

Summary

✅ 29 untouched benchmarks

@Boshen
Copy link
Member Author

Boshen commented Dec 13, 2024

https://docs.renovatebot.com/modules/manager/github-actions/ seems like the best approach to version pinning.

@Boshen Boshen marked this pull request as draft December 13, 2024 05:57
@AaronDewes
Copy link

AaronDewes commented Dec 13, 2024
edited
Loading

In my opinion, pinning to a more exact tag does not provide more security.

Someone manipulating the action could still probably force-push (unless GitHub actions prevents this somehow, but I don't think so).

https://woodruffw.github.io/zizmor/audits/#unpinned-uses

zizmor's pendantic mode requires you to pin to a specific commit. I would recommend doing that instead and set up a tool to automatically bump that commit hash to the latest stable release instead.

Please have a look at the renovate docs, it has support for this too.

@Boshen Boshen force-pushed the 12-13-ci_fix_more_zizmore_warnings branch from 53e2ad4 to 3c25f28 Compare December 13, 2024 10:46
@Boshen Boshen changed the title ci: fix more zizmor warnings ci: pin github action versions Dec 13, 2024
@Boshen Boshen force-pushed the 12-13-ci_fix_more_zizmore_warnings branch from 3c25f28 to d8c6d04 Compare December 13, 2024 10:50
@Boshen Boshen marked this pull request as ready for review December 13, 2024 10:52
@Boshen
Copy link
Member Author

Boshen commented Dec 13, 2024

I'm pinning these versions first in preparation for renovate bot to work.

@Boshen Boshen merged commit ba84acd into main Dec 13, 2024
26 of 27 checks passed
@Boshen Boshen deleted the 12-13-ci_fix_more_zizmore_warnings branch December 13, 2024 10:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Boshen @AaronDewes