Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update all actions we use in our workflows to pull from specific pinned commits #1305

Open
wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

Update all actions we use in our workflows to pull from specific pinned commits #1305

wants to merge 3 commits into from

Conversation

dkotter
Copy link
Collaborator

@dkotter dkotter commented Mar 18, 2025

Description of the Change

In order to help protect against compromised actions, instead of including actions based on their major version (like v4), this PR switches all the actions we use to pull based on the commit hash from the latest release.

While this does impact maintenance a bit going forward, it ensures that we we're always using actions that we (hopefully) trust and if an action gets compromised (which happens) we don't have to worry that we're using a compromised action. This also goes along with what GitHub suggests.

How to test the Change

Ensure all our workflows still run as expected

Changelog Entry

Developer - Update all third-party actions our workflows rely on to use versions based on specific commit hashes.

Credits

Props @dkotter, @jeffpaul

Checklist:

@dkotter dkotter added this to the 2.2.0 milestone Mar 18, 2025
@dkotter dkotter self-assigned this Mar 18, 2025
@dkotter dkotter requested a review from jeffpaul as a code owner March 18, 2025 20:03
@github-actions github-actions bot added the needs:code-review This requires code review. label Mar 18, 2025
jeffpaul
jeffpaul reviewed Mar 18, 2025
View reviewed changes
.github/workflows/lint.yml
- name: Annotate code linting results
uses: ataylorme/eslint-annotate-action@1.2.0
uses: ataylorme/eslint-annotate-action@5f4dc2e3af8d3c21b727edb597e5503510b1dc9c # v2.2.0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like some interesting updates in the 3.0.0 release, but definitely a concern for a different day/PR

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah... I debated going to 3.0.0 but with the noted breaking changes there, decided it might be better to handle that separately (though it may just work without any needed changes on our end)

jeffpaul
jeffpaul previously approved these changes Mar 18, 2025
View reviewed changes
Copy link
Member

@jeffpaul jeffpaul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks for handling these so quickly!

@dkotter
Copy link
Collaborator Author

dkotter commented Mar 18, 2025

Some E2E failures here but does not seem related to the changes in this PR. I think I may wait until #1302 gets merged in (as that PR fixes some existing failures) to see if that fixes things here

@dkotter dkotter requested a review from a team as a code owner March 19, 2025 16:42
@dkotter dkotter requested review from faisal-alvi and removed request for a team March 19, 2025 16:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@faisal-alvi faisal-alvi faisal-alvi approved these changes

@jeffpaul jeffpaul jeffpaul left review comments

Assignees

@dkotter dkotter

Labels
needs:code-review This requires code review.
Projects
None yet
Milestone
2.2.0
Development

Successfully merging this pull request may close these issues.
3 participants
@dkotter @jeffpaul @faisal-alvi