CI: Pin GitHub Actions to commit SHAs#3063
Conversation
This pins all third-party actions to immutable commit SHAs, with the resolved version tag in a trailing comment. This prevents upstream tags from silently changing under us. - actions/checkout → v6.0.2 (bumped from v5 to reduce `artipacked` severity: v6 no longer stores credentials in `.git/config`) - actions/setup-node → v6.3.0 - rust-lang/crates-io-auth-action → v1.0.4 See https://docs.zizmor.sh/audits/#unpinned-uses
|
Thanks. I don't think we can update the checkout action to v6 yet without some other fixes. |
hmm, how so? did you notice any issues with it? |
v6 changed the way git permissions are stored. There is a scheduled job here that pushes to a branch that I think may break (similar things broke in other repos). But I haven't had the time to test it or figure out how to fix it. |
|
Also, do you happen to know if the renovate configuration needs to be updated to use this style? |
I was aware of the change, which was the main reason for the simultaneous upgrade, but I wasn't aware that stuff would actually break due to it. I was under the impression that the git credentials path change was transparent/opaque/whatever-the-right-term-is and a regular mdBook/.github/workflows/update-dependencies.yml Lines 3 to 4 in 05fbc5d ci/update-dependencies.sh, which then uses git push and gh pr create, which I would assume should just keep working.
mdBook/ci/update-dependencies.sh Lines 40 to 44 in 05fbc5d
do you have any examples that I could look at?
the style should match what renovate does natively, and is AFAIU also supported by dependabot |
3 participants
This pins all third-party actions to immutable commit SHAs, with the resolved version tag in a trailing comment. This prevents upstream tags from silently changing under us.
(bumped from v5 to reduce
artipackedseverity: v6 no longer stores credentials in.git/config)See https://docs.zizmor.sh/audits/#unpinned-uses