Skip to content

ci: pin labeler #21316

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mrc0mmand merged 2 commits into from
Nov 12, 2021
Merged

ci: pin labeler #21316

mrc0mmand merged 2 commits into from
Nov 12, 2021

Conversation

@evverx
Copy link
Contributor

@evverx evverx commented Nov 11, 2021

Turns out GHActions where pull_request_target is used are capable
of pwning repositories: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

labeler doesn't check out the source code or build anything so
it's safe in its current form but to avoid surprises let's just pin
it to the latest version. It's annoying to manage dependencies like this
manually so additionally dependabot.yml is introduced to make it
easier to keep GHActions up to date more or less automatically:
https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/keeping-your-actions-up-to-date-with-dependabot

@mrc0mmand could you take a look? Dependabot will create PRs like evverx#10, evverx#12, evverx#11 once the PR is merged.

@evverx
ci: pin labeler
5570313 
Turns out GHActions where `pull_request_target` is used are capable
of pwning repositories: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

labeler doesn't check out the source code or build anything so
it's safe in its current form but to avoid surprises let's just pin
it to the latest version. It's annoying to manage dependencies like this
manually so additionally dependabot.yml is introduced to make it
easier to keep GHActions up to date more or less automatically:
https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/keeping-your-actions-up-to-date-with-dependabot
@evverx
ci: pin some workflows to SHAs
3fec0e6 
to let Dependabot keep track of them using SHAs

codeql-actions doesn't point to SHAs because it isn't clear
whether Dependabot supports their release cycle mentioned
at github/codeql-action#307
@evverx evverx added the ci label Nov 11, 2021
evverx
evverx commented Nov 12, 2021
View reviewed changes
.github/workflows/labeler.yml Outdated
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@main
- uses: actions/labeler@v3.0.2
Copy link
Contributor Author

@evverx evverx Nov 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Judging by https://github.com/evverx/systemd/pull/10/files, Dependabot supports pinning GHActions to specific SHAs. I'll try to switch to SHAs instead of tags

@evverx
Copy link
Contributor Author

evverx commented Nov 12, 2021

To be honest, I'm not sure what the point of the labeler action is considering labels often have to be added/updated manually. I'd just drop it and keep Dependabot to make it easier to keep track of the dependencies :-)

@mrc0mmand
Copy link
Member

mrc0mmand commented Nov 12, 2021

Turns out GHActions where pull_request_target is used are capable of pwning repositories: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

labeler doesn't check out the source code or build anything so it's safe in its current form but to avoid surprises let's just pin it to the latest version. It's annoying to manage dependencies like this manually so additionally dependabot.yml is introduced to make it easier to keep GHActions up to date more or less automatically: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/keeping-your-actions-up-to-date-with-dependabot

Hah. I didn't know you can use Dependabot for GH Actions, nice! That's definitely something we should have.

@bluca
Copy link
Member

bluca commented Nov 12, 2021

To be honest, I'm not sure what the point of the labeler action is considering labels often have to be added/updated manually. I'd just drop it and keep Dependabot to make it easier to keep track of the dependencies :-)

It mostly gets things right for categorization, although with occasional mishaps. So I'd like to keep it, as it's nice to have things labelled for later easy searches

@evverx evverx mentioned this pull request Nov 12, 2021
Merged
@evverx
Copy link
Contributor Author

evverx commented Nov 12, 2021

So I'd like to keep it, as it's nice to have things labelled for later easy searches

@bluca got it. Let's keep it then.

@evverx evverx marked this pull request as ready for review November 12, 2021 16:19
mrc0mmand
mrc0mmand approved these changes Nov 12, 2021
View reviewed changes
Copy link
Member

@mrc0mmand mrc0mmand left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@mrc0mmand mrc0mmand added the good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed label Nov 12, 2021
@mrc0mmand mrc0mmand merged commit 59f5d2f into systemd:main Nov 12, 2021
evverx added a commit to evverx/systemd that referenced this pull request Nov 13, 2021
@evverx
ci: pin the codeql action to SHAs
129c5cb 
It's a follow-up to systemd#21316.

Judging by #36, Dependabot
supports their release cycle
@evverx evverx mentioned this pull request Nov 13, 2021
Merged
mrc0mmand pushed a commit that referenced this pull request Nov 14, 2021
@evverx @mrc0mmand
ci: pin the codeql action to SHAs
e44a47d 
It's a follow-up to #21316.

Judging by evverx#36, Dependabot
supports their release cycle
@mrc0mmand mrc0mmand mentioned this pull request Sep 1, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrc0mmand mrc0mmand mrc0mmand approved these changes

Assignees

No one assigned

Labels

ci good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@evverx @mrc0mmand @bluca