New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modernize CI #1616
base: master
Are you sure you want to change the base?
Modernize CI #1616
Conversation
Prob less error prone?
Question for maintainer: clangd/.github/workflows/autobuild.yaml Lines 5 to 6 in 6e7f596
Unless one job takes over 24 hours to complete, this is not true, "Before each job begins, GitHub fetches an installation access token for the job. The GITHUB_TOKEN expires when a job finishes or after a maximum of 24 hours." Should I replace the Note: if this change go through we also need to delete: clangd/.github/workflows/autobuild.yaml Line 136 in 6e7f596
|
Testing on: https://github.com/wusatosi/clangd/actions/runs/4874186461 Edit: Test passed, ready for review |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wusatosi I've messaged you on Discord.
According to OpenSSF security best practices it's generally a good idea to use explicit commit hashes to ensure that the actions themselves are reproducible and robust against malicious activity in the upstream action repos. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies for reasoning. However, I believe this is under the assumption that one has bots tracking these hashes and triggering automatic hash updates. In any case I think it's worth considering. The OpenSSF also recommends globally setting explicit I've just encountered this myself, here is how a pinned version could look like: eomii/rules_ll@c927b80 (that repo is crawled by dependabot and renovate though). Here is how explicit permissions could look like: eomii/rules_ll@4734461 My comments are not specific to this particular PR, and more so with the workflows in clangd in general, so feel free to ignore it for the sake of this PR. |
@kadircet Would you mind taking a look? |
sorry for shying away from this review for a while now. any chance you can split those into different changes, updates of i am not so sure about the change to re @aaronmondal, sure using actions from explicit hashes instead of tags makes sense. feel free to send a follow-up patch if @wusatosi don't do that already. |
@kadircet Thanks for taking a look! I agree that |
Hi, thanks for looking over this pr, I am in the middle of final exams and will update this pr once I have time. |
This PR updates the auto-build CI pipeline.
Specifically:
actions/upload-artifact
,actions/download-artifact
and resolves the breaking change.actions/create-release
andactions/upload-release-asset
with the GitHub CLISuccessful test on latest commit:
https://github.com/wusatosi/clangd/actions/runs/4874186461
Generated release:
https://github.com/wusatosi/clangd/releases/tag/ci-test-12
Edit: Please review @kadircet @usx95 @sam-mccall