-
Notifications
You must be signed in to change notification settings - Fork 30.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tools: use actions pinned by commit hash on coverage-linux.yml #46294
Closed
Closed
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
cbd8c8a
tools: use actions pinned by commit hash in coverage-linux
gabibguti f023b10
tools: Double space inline comments
gabibguti b8bfce1
tools: Add dependabot for GHA version updates
gabibguti 0194f28
tools: Fix lint double quote error
gabibguti 2bda6e1
tools: fix linter issues
gabibguti File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it really make sense for Actions provided by GitHub? Since they're the ones who also provide the hardware, we have to trust them at some point, and keeping this updated seems more likely to happen if we're using a tag rather than a commit hash. +1 one for doing it for the codecov action though. wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with you it's debatable. After all, if GitHub itself gets hijacked we would have bigger problems. About keeping the hash updated it's a good point. Dependabot can take care of updating the hash and the version tag comment, which is more readable. But, yes, keeping the tag version or tag major can be a good option for GitHub actions if you folks prefer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To provide context: dependabot/dependabot-core#4691 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shall we resolve the linting warning?
I do this pinning also in my personal projects but have the comment above the actual
uses
line.Edit: seems according to the dependabot link like dependabot/dependabot-core#4691 (comment) only this comment format is supported? Not sure if the linting issue will go away without doing any further changes.
Might be a problem with the linting rules of GH.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In my opinion it is good to pin all actions, also those of GitHub. We can not be sure if and who pushes what code. What if someone has bad intentions and joins GitHub just to get malicious code into such solutions?
Also at least I do not know which persons maintain the project, have push and write permissions and if I can trust every single one.
Some PRs also seem to be spam or malicious: https://github.com/actions/checkout/pulls
I doubt that the same persons who have access to the hardware at GH (totally different security restrictions) also work on the actions or have access to them.
Tags can also be changed / pointed to different commits at any time - at least in Git.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe I fixed the lint warning but kept the version comment inline, cause, in my understanding, dependabot can only update the version comment inline.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perfect, thank you very much. This is ok for me as long as dependabot can automatically handle this.