Bump actions/checkout from 2.3.5 to 2.4.0 #89

dependabot · 2021-11-03T07:05:58Z

Bumps actions/checkout from 2.3.5 to 2.4.0.

Release notes

Sourced from actions/checkout's releases.

v2.4.0

Convert SSH URLs like org-<ORG_ID>@github.com: to https://github.com/ - pr

Commits

ec3a7ce set insteadOf url for org-id (#621)
fd47087 codeql should analyze lib not dist (#620)
3d677ac script to generate license info (#614)
826ba42 npm audit fix (#612)
eb8a193 update dev dependencies and react to new linting rules (#611)
c49af7c Create codeql-analysis.yml (#602)
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

tstromberg · 2021-11-30T16:23:07Z

Failing due to #92

dependabot · 2021-11-30T16:23:09Z

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

Dependabot based push/pr builds don't have access to the quay secrets it seems (github magic?) (see [1], [2]) so lets avoid it all together. Dependabot pushes/PRs can be recognized by the github.actor value according to the GitHub docs[3]. [1]: #89 [2]: #95 [3]: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions#handling-pull_request-events Signed-off-by: Manuel Mendez <mmendez@equinix.com>

Dependabot based push/pr builds don't have access to the quay secrets it seems (github magic?) (see [1], [2]) so lets avoid it all together. Dependabot pushes/PRs can be recognized by the github.actor value according to the GitHub docs[3]. Fixes #92 [1]: #89 [2]: #95 [3]: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions#handling-pull_request-events Signed-off-by: Manuel Mendez <mmendez@equinix.com>

Dependabot PRs are different than other non-contributor PRs in that the branch comes from this repo, which normally allows the secret to be available for CI yet the builds still fail (see [1], [2]). It seems that GitHub does not make secrets available for these PRs as yet another special case [3]. If we skip logging in to quay for dependabot then we side step this all together. Dependabot pushes/PRs can be recognized by the github.actor value according to the GitHub docs [3]. [1]: #89 [2]: #95 [3]: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions#handling-pull_request-events Fixes #92 Signed-off-by: Manuel Mendez <mmendez@equinix.com>

## Description Avoids logging into quay for dependabot builds. ## Why is this needed Fixes #92 Dependabot PRs are different than other non-contributor PRs in that the branch comes from this repo, which normally allows the secret to be available for CI yet the builds still fail (see [1], [2]). It seems that GitHub does not make secrets available for these PRs as yet another special case [3]. If we skip logging in to quay for dependabot then we side step this all together. Dependabot pushes/PRs can be recognized by the github.actor value according to the GitHub docs [3]. [1]: #89 [2]: #95 [3]: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions#handling-pull_request-events I wanted to avoid logging in for non main pushes all together but that may make kernel testing harder than strictly necessary. ## How Has This Been Tested? CI? ## How are existing users impacted? What migration steps/scripts do we need? Updated dependencies sooner hopefully.

mmlb · 2021-11-30T20:40:01Z

@dependabot reopen

mmlb · 2021-11-30T20:40:20Z

@dependabot rebase

Bumps [actions/checkout](https://github.com/actions/checkout) from 2.3.5 to 2.4.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v2.3.5...v2.4.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

We skip logging in to quay.io when github.actor is dependabot in [#96] but did not check if any pushes were attempted. This was missed in the subsequent dependabot PRs [#89] and [#95] because there was no branch protection setup and I added the ready-to-merge label so mergify merged it :(. This should fix that. [#89]: #89 [#95]: #95 [#96]: #96 Signed-off-by: Manuel Mendez <mmendez@equinix.com>

We skipped logging in to quay.io when github.actor is dependabot in [#96] but did not check if any pushes were attempted. This was missed in the subsequent dependabot PRs [#89] and [#95] because there was no branch protection setup and I added the ready-to-merge label so mergify merged it :(. This should fix that. [#89]: #89 [#95]: #95 [#96]: #96 Signed-off-by: Manuel Mendez <mmendez@equinix.com>

We skipped logging in to quay.io when github.actor is dependabot in [#96] but did not check if any pushes were attempted. This change will avoid that failure. This was missed in the subsequent dependabot PRs [#89] and [#95] because there was no branch protection setup and I added the ready-to-merge label so mergify merged it :(. I've added branch protection to require the actions to pass. [#89]: #89 [#95]: #95 [#96]: #96 Signed-off-by: Manuel Mendez <mmendez@equinix.com>

## Description Avoids pushing to quay if the PR/push originates from dependabot. ## Why is this needed We skipped logging in to quay.io when github.actor is dependabot in [#96] but did not check if any pushes were attempted. This change will avoid that failure. This was missed in the subsequent dependabot PRs [#89] and [#95] because there was no branch protection setup and I added the ready-to-merge label so mergify merged it :(. I've added branch protection to require the actions to pass. [#89]: #89 [#95]: #95 [#96]: #96 ## How Has This Been Tested? CI

@mmlb

Hello. I would like to request moving from reviewer to approver role. I am looking for a sponsor from either @mmlb or @thebsdbox. Please and thank you. Requirements: - [X] I have reviewed the [community membership guidelines](https://github.com/tinkerbell/proposals/blob/main/proposals/0024/GOVERNANCE.md) - [X] I have [enabled 2FA on my GitHub account](https://github.com/settings/security) - [X] I have subscribed to the [tinkerbell-contributors e-mail list](https://lists.cncf.io/g/cncf-tinkerbell-dev) - [X] I am actively contributing to 1 or more Tinkerbell subprojects - [X] Reviewer for at least 1 month - [X] Shallow understanding of the technical goals and direction of the repository - [X] Shallow understanding of the technical domain of the repository - [X] Reviewed or merged at least 3 substantial PRs to the codebase such as significant re-design or whole new features PR Reviews #98 #89 #130 PR merges #118 #117 #116 #115 #59 Sponsor Request from @mmlb @thebsdbox

@mmlb

Hello. I would like to request moving from reviewer to approver role. I am looking for a sponsor from either @mmlb or @thebsdbox. Please and thank you. Requirements: - [X] I have reviewed the [community membership guidelines](https://github.com/tinkerbell/proposals/blob/main/proposals/0024/GOVERNANCE.md) - [X] I have [enabled 2FA on my GitHub account](https://github.com/settings/security) - [X] I have subscribed to the [tinkerbell-contributors e-mail list](https://lists.cncf.io/g/cncf-tinkerbell-dev) - [X] I am actively contributing to 1 or more Tinkerbell subprojects - [X] Reviewer for at least 1 month - [X] Shallow understanding of the technical goals and direction of the repository - [X] Shallow understanding of the technical domain of the repository - [X] Reviewed or merged at least 3 substantial PRs to the codebase such as significant re-design or whole new features PR Reviews #98 #89 #130 PR merges #118 #117 #116 #115 #59 Sponsor Request from @mmlb @thebsdbox

dependabot bot added the dependencies Pull requests that update a dependency file label Nov 3, 2021

jacobweinstock approved these changes Nov 16, 2021

View reviewed changes

tstromberg closed this Nov 30, 2021

dependabot bot deleted the dependabot/github_actions/actions/checkout-2.4.0 branch November 30, 2021 16:23

mmlb mentioned this pull request Nov 30, 2021

Don't try to login to quay if a push is made by dependabot #96

Merged

dependabot bot reopened this Nov 30, 2021

dependabot bot restored the dependabot/github_actions/actions/checkout-2.4.0 branch November 30, 2021 20:40

dependabot bot force-pushed the dependabot/github_actions/actions/checkout-2.4.0 branch from 3a37332 to 625efb6 Compare November 30, 2021 20:40

mmlb added the ready-to-merge Signal to Mergify to merge the PR. label Nov 30, 2021

mergify bot merged commit f974fed into main Nov 30, 2021

mergify bot deleted the dependabot/github_actions/actions/checkout-2.4.0 branch November 30, 2021 20:42

mmlb mentioned this pull request Nov 30, 2021

ci: Only push to quay if github.actor is not dependabot #97

Merged

jacobweinstock mentioned this pull request Aug 31, 2022

Request for Approver Role #141

Merged

8 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump actions/checkout from 2.3.5 to 2.4.0 #89

Bump actions/checkout from 2.3.5 to 2.4.0 #89

Uh oh!

dependabot bot commented on behalf of github Nov 3, 2021 •

edited

Loading

Uh oh!

tstromberg commented Nov 30, 2021

Uh oh!

dependabot bot commented on behalf of github Nov 30, 2021

Uh oh!

mmlb commented Nov 30, 2021

Uh oh!

mmlb commented Nov 30, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Bump actions/checkout from 2.3.5 to 2.4.0 #89

Bump actions/checkout from 2.3.5 to 2.4.0 #89

Uh oh!

Conversation

dependabot bot commented on behalf of github Nov 3, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v2.4.0

Uh oh!

tstromberg commented Nov 30, 2021

Uh oh!

dependabot bot commented on behalf of github Nov 30, 2021

Uh oh!

mmlb commented Nov 30, 2021

Uh oh!

mmlb commented Nov 30, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

dependabot bot commented on behalf of github Nov 3, 2021 •

edited

Loading