Skip to content

gh-109110: Hash-pin GitHub Actions #109111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

gh-109110: Hash-pin GitHub Actions #109111

wants to merge 2 commits into from

Conversation

pnacht
Copy link

@pnacht pnacht commented Sep 7, 2023
edited
Loading

Fixes #109110.

This PR hash-pins all GitHub Actions and configures dependabot to keep them up-to-date with a single monthly PR. This will increase the resiliency of the repo's workflows in the face of broken or malicious versions of any Actions.

I don't believe this change requires a NEWS entry, but let me know and I'll add one.

@pnacht
Hash-pin GitHub Actions
00a7453 
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
@pnacht
Set dependabot to use grouped updates
a5a850f 
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
@ghost
Copy link

ghost commented Sep 7, 2023
edited by ghost
Loading

All commit authors signed the Contributor License Agreement.
CLA signed

@bedevere-bot
Copy link

Most changes to Python require a NEWS entry.

Please add it using the blurb_it web app or the blurb command-line tool.

@bedevere-bot bedevere-bot mentioned this pull request Sep 7, 2023
Closed
ambv
ambv reviewed Sep 8, 2023
View reviewed changes
.github/dependabot.yml
Comment on lines -10 to -14
ignore:
- dependency-name: "*"
update-types:
- "version-update:semver-minor"
- "version-update:semver-patch"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dependabot doesn't just update GHA, this looks like will cause deps in Doc/requirements.txt to start pinging us with every micro-release, no?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not visible in the PR diff, but the start of this block in the dependabot.yml file declares it's only for GitHub Actions.

There is another block with - package-ecosystem: pip which handles version bumps for Python dependencies, but it's actually only looking at the /Tools/ directory. And that block doesn't have an ignore field, so CPython is currently receiving minor and patch version bumps for those dependencies (example).

However, Doc/requirements.txt is currently ignored by dependabot version bumps. (But it still receives security updates whenever a dependency has a vulnerability).

@hugovk
Copy link
Member

hugovk commented Sep 13, 2023

Thanks for the PR, closing per discussion in #109110.

@hugovk hugovk closed this Sep 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ambv ambv ambv left review comments

@ezio-melotti ezio-melotti Awaiting requested review from ezio-melotti ezio-melotti is a code owner

@hugovk hugovk Awaiting requested review from hugovk hugovk is a code owner

Assignees
No one assigned
Labels
awaiting review skip news
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Hash-pin GitHub Actions to increase workflow resiliency
5 participants
@pnacht @bedevere-bot @hugovk @ambv @AlexWaygood