Migrate to the 'locker' GitHub action for locking closed/stale issues/PRs #6896
Conversation
ghost
assigned 
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #6896 +/- ##
==========================================
- Coverage 68.81% 68.80% -0.01%
==========================================
Files 1240 1240
Lines 249397 249397
Branches 25496 25496
==========================================
- Hits 171614 171596 -18
- Misses 71189 71203 +14
- Partials 6594 6598 +4
Flags with carried forward coverage won't be shown. Click here to find out more. |
| with: | ||
| repository: "microsoft/vscode-github-triage-actions" | ||
| path: ./actions | ||
| ref: cd16cd2aad6ba2da74bb6c6f7293adddd579a90e |
There was a problem hiding this comment.
what's this hash and who updates it?
There was a problem hiding this comment.
Seems like this refers to a commit here: microsoft/vscode-github-triage-actions@cd16cd2
I wonder why we use that instead of just tip of the stable branch?
There was a problem hiding this comment.
Good question. Yes, it's the latest commit sha that affected the locker action from the repo. General guidance from GitHub, the VS Code team, and our own infrastructure folks are all aligned that when reusing actions from another repository (that you don't own), you should stick to a specific commit sha rather than a tag/branch. That ensures your repo always references a known state of the action.
- Security hardening for GitHub Actions - GitHub Docs:
- "Pin actions to a full length commit SHA"
- https://github.com/microsoft/vscode-github-triage-actions/?tab=readme-ov-file#vs-codes-issue-triage-github-actions
- "use the lastest released tag to ensure stability"
- Except the repo stopped producing new release tags, and release tags don't follow the guidance above since tags can change their commit reference
There was a problem hiding this comment.
And as far as who updates it: We would only want/need to update it if the locker action is updated to fix a bug or add a feature that we need. Otherwise, it should stay on this commit sha indefinitely.
There was a problem hiding this comment.
My expectation would have been that we take latest, and then there is some bot (like dependabot) that would submit a PR to update it whenever latest changes. Can you file an issue in arcade or core-eng requesting that we have some sort of system for keeping these actions up to date?
Right now this feels like a checked in hardcoded version.
There was a problem hiding this comment.
Having the checked-in, hardcoded version is the correct thing here, per core-eng and GitHub security guidance, so I'm not sure what such an issue would look to achieve or what problem the checked-in, hardcoded version will cause.
This migrates away from the FabricBot implementation of a scheduled search over closed issues and adopts the Locker GitHub action authored by the VS Code team.
The updated fabricbot.json was generated via dotnet/fabricbot-config#83. The workflow file was implemented and tested at https://github.com/dotnet/fabricbot-config/blob/main/.github/workflows/locker.yml.
Since this workflow uses the actions/checkout action, we need to ensure the following GitHub Actions settings are enabled: