-
Notifications
You must be signed in to change notification settings - Fork 4.5k
[infra] Hash-pin GitHub Actions, keep them updated with dependabot #6815
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #6815 +/- ##
==========================================
+ Coverage 83.40% 83.43% +0.03%
==========================================
Files 285 285
Lines 30879 30879
==========================================
+ Hits 25754 25764 +10
+ Misses 4053 4044 -9
+ Partials 1072 1071 -1 |
@@ -16,7 +16,7 @@ jobs: | |||
pull-requests: write | |||
|
|||
steps: | |||
- uses: actions/stale@v4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there breaking changes between v4 and v8? Do we need to update our config of the stale bot because of this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. There are a few "breaking changes", but none of them are significant, given how it's used here:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SGTM; thanks!
+@easwars for 2nd review |
Why is hash-pinning, some of which are pinned to patch releases, better than manually pinning to major versions. Is it possible to configure the dependabot to only pin to major release versions? |
I suggest pinning to hashes because it ensures Actions behave consistently. When pinning to a major version (
By "pin to major release versions", do you mean the status quo (i.e. In either case, the answer is yes:
|
Fixes #6814.
This PR hash-pins all GitHub Actions to increase the workflows' resilience to broken or malicious workflows.
It also sets up dependabot to send a single monthly PR updating all Actions with new versions.
RELEASE NOTES: NONE