CI: Pin Github action dependencies#2779
Merged
hoffie merged 1 commit intojamulussoftware:masterfrom Aug 14, 2022
Merged
Conversation
External dependencies should only be updated after manual review for security reasons (jamulussoftware#1737). In addition, they need to be stable during the release process. - dev-drprasad/delete-tag-and-release is updated from v0.1.2 to v0.2.0 (via hash); diff has been reviewed - devbotsxyz/xcode-staple is unchanged at the latest v1 commit - maxim-lobanov/setup-xcode is unchanged at the latest v1 commit github/* and action/* dependencies are kept as-is as they are considered trusted due to their official status and the inevitable dependency and trust on Github. Related: jamulussoftware#1737
6 tasks
Member
|
Did you check that a release still works correctly? I'd assume yes since nothing big changes. Probably it's worth testing it in combination with the signing. |
Member
Author
I've confirmed equality for the two xcode-related actions. I have reviewed the diff for the delete-tag-and-release action and have just kicked off two test runs:
I don't expect any breakage there. We are literally pinning the very version which had been used for the 3.9.0 release. |
ann0see
approved these changes
Aug 13, 2022
Member
ann0see
left a comment
There was a problem hiding this comment.
Ok. Thanks for the confirmation
pljones
reviewed
Aug 14, 2022
pljones
approved these changes
Aug 14, 2022
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Short description of changes
External dependencies should only be updated after manual review for security reasons (#1737). In addition, they need to be stable during the release process.
github/* and action/* dependencies are kept as-is as they are considered trusted due to their official status and the inevitable dependency and trust on Github.
CHANGELOG: SKIP
Context: Fixes an issue?
Related: #1737
Does this change need documentation? What needs to be documented and how?
This specific change does not need documentation.
The general need to pin Action dependencies should be documented. This is being tracked in #1737.
Status of this Pull Request
Ready.
What is missing until this pull request can be merged?
Reviews.
cc @emlynmac as two signing-related deps are affected.
Checklist
Test for completeness after this PR (no tag-based pinning for non-official deps anymore):