Pin the GitHub actions we use on this repo to a full length commit SHA

[HonkingGoose]

What would you like Renovate to be able to do?

@rarkins and @viceice now that PR #10835 is merged, we can start thinking about pinning our GitHub Actions to the current full length Git commit SHA?

Did you already have any implementation ideas?

@viceice can you explain what pattern we need to follow to make things work properly?
I think you can use a comment to say what "tagged version" you're at???

As an example I've grabbed the commit to which actions/setup-node@v2.2.0 points right now.

- name: Set up Node.js ${{ env.NODE_VERSION }}
  uses: actions/setup-node@38d90ce44d5275ad62cc48384b3d8a58c500bb5f
  with:
    node-version: ${{ env.NODE_VERSION }}
    cache: yarn

Or maybe we can add a comment which says what tag we're "following".

- name: Set up Node.js ${{ env.NODE_VERSION }}
  uses: actions/setup-node@38d90ce44d5275ad62cc48384b3d8a58c500bb5f # setup-node: tag=v2
  with:
    node-version: ${{ env.NODE_VERSION }}
    cache: yarn

We'll also need to update the default.json over on the renovate/.github repository, to make use of the new feature.

[viceice]

1. We need to wait for v25.56.0 to be live in hosted app ⏳
2. We need to add helpers:pinGitHubActionDigests preset ✍️
   • https://github.com/renovatebot/.github/blob/main/default.json
   • https://github.com/containerbase/.github/blob/main/default.json
3. Wait for renovate to do some magic ⌛ 🧙

[HonkingGoose]

I've made PRs on renovatebot/.github and on containerbase/.github to add helper:pinGitHubActionDigests to their config files.

See:

• feat: add helper:pinGitHubActionDigests to extends array .github#23
• feat: add helper:pinGitHubActionDigests to extends array containerbase/.github#2

[rarkins]

@viceice how come we already got so many pinning PRs in this org already? Is it because we have pinDigests=true already?

[viceice]

i did not found any ref to pinDigests=true. i don't know what happens 🤔

[viceice]

on docker-rust we don't have pin updates

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["github>renovatebot/.github"]
}

on internal-tools we have pin updates

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["github>renovatebot/.github"],
  "packageRules": [
    {
      "paths": ["+(Dockerfile)"],
      "enabled": false
    },
    {
      "updateTypes": ["lockFileMaintenance"],
      "semanticCommitType": "build"
    },
    {
      "packageNames": ["renovate"],
      "extends": ["schedule:weekly"],
      "automerge": true,
      "separateMinorPatch": false
    }
  ]
}

[rarkins]

Those PRs caused config errors so I have reverted them. I'd love to know what's going on..

[viceice]

Those PRs caused config errors so I have reverted them. I'd love to know what's going on..

It was wrong preset name, there was a missing s, so right name is helpers:pinGitHubActionDigests, updated my comment above too.

But it's unclear to my. why we have pin pr's without even adding this preset. And why only in some repos. Very strange.

[HonkingGoose]

It was wrong preset name, there was a missing s, so right name is helpers:pinGitHubActionDigests, updated my comment above too.

Opened PR #10857 to fix the typo in the docs.

[HonkingGoose]

Those PRs caused config errors so I have reverted them. I'd love to know what's going on..

The config error was probably because I used the wrong name for the helpers: preset... 😉

Do you want 2 new PRs from me with the correct config, or do you want to hold off for now?

[viceice]

we should hold of until we know why we already got pin pr's.

[viceice]

Found it, github-actions assign language=docker

renovate/lib/manager/github-actions/index.ts

Line 4 in bcb359d

const language = LANGUAGE_DOCKER;

so it is assigning the docker:pinDigests preset:

renovate/lib/config/presets/internal/docker.ts

Lines 36 to 41 in 74d7691

	pinDigests: {
	description: 'Pin Docker digests',
	docker: {
	pinDigests: true,
	},
	},

here:

renovate/lib/config/index.ts

Lines 23 to 26 in 11694e9

	const language = get(manager, 'language');
	if (language) {
	managerConfig = mergeChildConfig(managerConfig, config[language]);
	}

[viceice]

@HonkingGoose you can now prepare those pr's.

[HonkingGoose]

@HonkingGoose you can now prepare those pr's.

You've got new PR's! 😉

[HonkingGoose]

This issue can be closed now that we merged PR #10858 and have pinned our GitHub Actions to a full length commit SHA.