Skip to content

[infra] Hash-pin GitHub Actions, keep them updated with dependabot #6815

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Dec 6, 2023

Conversation

pnacht
Copy link
Contributor

@pnacht pnacht commented Nov 21, 2023

Fixes #6814.

This PR hash-pins all GitHub Actions to increase the workflows' resilience to broken or malicious workflows.

It also sets up dependabot to send a single monthly PR updating all Actions with new versions.

RELEASE NOTES: NONE

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
@pnacht pnacht changed the title Hash-pin GitHub Actions, keep them updated with dependabot [infra] Hash-pin GitHub Actions, keep them updated with dependabot Nov 21, 2023
Copy link

codecov bot commented Nov 21, 2023

Codecov Report

Merging #6815 (2401b8a) into master (7935c4f) will increase coverage by 0.03%.
Report is 1 commits behind head on master.
The diff coverage is n/a.

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #6815      +/-   ##
==========================================
+ Coverage   83.40%   83.43%   +0.03%     
==========================================
  Files         285      285              
  Lines       30879    30879              
==========================================
+ Hits        25754    25764      +10     
+ Misses       4053     4044       -9     
+ Partials     1072     1071       -1     

see 13 files with indirect coverage changes

@@ -16,7 +16,7 @@ jobs:
pull-requests: write

steps:
- uses: actions/stale@v4
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there breaking changes between v4 and v8? Do we need to update our config of the stale bot because of this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No. There are a few "breaking changes", but none of them are significant, given how it's used here:

  • v5: no changes
  • v6: when an issue is closed by the bot, it is now closed as "Not planned", not as "Completed"
  • v7: changes how the bot handles "exempt" issues/PRs, which aren't used here
  • v8: if there's an error, the Action will fail, not pretend to succeed

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM; thanks!

@dfawley dfawley added the Type: Meta Github repo, process, etc label Dec 5, 2023
@dfawley dfawley added this to the 1.61 Release milestone Dec 5, 2023
@dfawley
Copy link
Member

dfawley commented Dec 5, 2023

+@easwars for 2nd review

@easwars
Copy link
Contributor

easwars commented Dec 5, 2023

This PR hash-pins all GitHub Actions to increase the workflows' resilience to broken or malicious workflows.

Why is hash-pinning, some of which are pinned to patch releases, better than manually pinning to major versions. Is it possible to configure the dependabot to only pin to major release versions?

@pnacht
Copy link
Contributor Author

pnacht commented Dec 6, 2023

Why is hash-pinning, some of which are pinned to patch releases, better than manually pinning to major versions.

I suggest pinning to hashes because it ensures Actions behave consistently. When pinning to a major version (@v2), the project will be immediately vulnerable to a broken or malicious version as soon as it is released. Pinning to a patch version (@v2.1.3) helps against a broken release, but not a malicious one (since the tag can be modified to point to a malicious commit). Only by hash-pinning an Action to a particular commit can you be confident the Action's behavior won't change beneath your feet.

Is it possible to configure the dependabot to only pin to major release versions?

By "pin to major release versions", do you mean the status quo (i.e. actions/checkout@v2) or pinning to a major version commit (actions/checkout@1a2b3c... # v2)?

In either case, the answer is yes:

  • If the former, dependabot can be set up to just bump these tags whenever a new major version is released.
  • If the latter, the "version comment" can be to a major release version instead. The hash will be the same as the ones proposed in the current PR, because the major version tag points to the same commit as the latest patch version tag. Whenever a new minor/patch version is released, you'll still receive a dependabot PR suggesting you update to the latest version. The "version comment" will remain the same (unless there's a new major version), just the hash will be changed to point to the newest patch version.

@easwars easwars merged commit c2398ce into grpc:master Dec 6, 2023
1 check passed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 4, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Type: Meta Github repo, process, etc
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Harden GitHub workflows by hash-pinning Actions
3 participants