Skip to content

Comments

CI: Pin Github action dependencies#2779

Merged
hoffie merged 1 commit intojamulussoftware:masterfrom
hoffie:workflow-pin-deps
Aug 14, 2022
Merged

CI: Pin Github action dependencies#2779
hoffie merged 1 commit intojamulussoftware:masterfrom
hoffie:workflow-pin-deps

Conversation

@hoffie
Copy link
Member

@hoffie hoffie commented Aug 12, 2022
edited
Loading

Short description of changes

External dependencies should only be updated after manual review for security reasons (#1737). In addition, they need to be stable during the release process.

  • dev-drprasad/delete-tag-and-release is updated from v0.1.2 to v0.2.0 (via hash); diff has been reviewed
  • devbotsxyz/xcode-staple is unchanged at the latest v1 commit
  • maxim-lobanov/setup-xcode is unchanged at the latest v1 commit

github/* and action/* dependencies are kept as-is as they are considered trusted due to their official status and the inevitable dependency and trust on Github.

CHANGELOG: SKIP

Context: Fixes an issue?

Related: #1737

Does this change need documentation? What needs to be documented and how?

This specific change does not need documentation.
The general need to pin Action dependencies should be documented. This is being tracked in #1737.

Status of this Pull Request

Ready.

What is missing until this pull request can be merged?

Reviews.

cc @emlynmac as two signing-related deps are affected.

Checklist

  • I've verified that this Pull Request follows the general code principles
  • I tested my code and it does what I want
  • My code follows the style guide
  • I waited some time after this Pull Request was opened and all GitHub checks completed without errors.
  • I've filled all the content above

Test for completeness after this PR (no tag-based pinning for non-official deps anymore):

$ grep uses.*@ .github/workflows/* | grep -vP ':.*(actions|github)/'
.github/workflows/autobuild.yml:        uses:                       dev-drprasad/delete-tag-and-release@085c6969f18bad0de1b9f3fe6692a3cd01f64fe5
.github/workflows/autobuild.yml:        uses:                       maxim-lobanov/setup-xcode@4aa4176a819ae7c019451acfda0bba67bffc6704
.github/workflows/autobuild.yml:        uses:                       devbotsxyz/xcode-notarize@d7219e1c390b47db8bab0f6b4fc1e3b7943e4b3b
.github/workflows/autobuild.yml:        uses:                       devbotsxyz/xcode-staple@ae68b22ca35d15864b7f7923e1a166533b2944bf
.github/workflows/coding-style-check.yml:      uses: DoozyX/clang-format-lint-action@2a28e3a8d9553f244243f7e1ff94f6685dff87be

@hoffie
CI: Pin Github action dependencies
afe4e7b 
External dependencies should only be updated after manual review for
security reasons (jamulussoftware#1737).
In addition, they need to be stable during the release process.

- dev-drprasad/delete-tag-and-release is updated from v0.1.2 to v0.2.0
  (via hash); diff has been reviewed
- devbotsxyz/xcode-staple is unchanged at the latest v1 commit
- maxim-lobanov/setup-xcode is unchanged at the latest v1 commit

github/* and action/* dependencies are kept as-is as they are considered
trusted due to their official status and the inevitable dependency and
trust on Github.

Related: jamulussoftware#1737
@hoffie hoffie requested a review from ann0see August 12, 2022 12:29
@hoffie hoffie added this to the Release 3.9.1 milestone Aug 12, 2022
@hoffie hoffie mentioned this pull request Aug 12, 2022
Open
6 tasks
@ann0see
Copy link
Member

ann0see commented Aug 12, 2022

Did you check that a release still works correctly? I'd assume yes since nothing big changes. Probably it's worth testing it in combination with the signing.

@hoffie
Copy link
Member Author

hoffie commented Aug 12, 2022

Did you check that a release still works correctly? I'd assume yes since nothing big changes.

I've confirmed equality for the two xcode-related actions. I have reviewed the diff for the delete-tag-and-release action and have just kicked off two test runs:

Probably it's worth testing it in combination with the signing.

I don't expect any breakage there. We are literally pinning the very version which had been used for the 3.9.0 release.

ann0see
ann0see approved these changes Aug 13, 2022
View reviewed changes
Copy link
Member

@ann0see ann0see left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok. Thanks for the confirmation

@hoffie hoffie requested a review from pljones August 13, 2022 11:11
pljones
pljones reviewed Aug 14, 2022
View reviewed changes
@hoffie hoffie merged commit 29a87d6 into jamulussoftware:master Aug 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pljones pljones pljones approved these changes

@ann0see ann0see ann0see approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

Release 3.9.1

Development

Successfully merging this pull request may close these issues.

3 participants

@hoffie @ann0see @pljones