[GPCAPIM-336] Update GitHub Actions to use latest action versions and…#167
[GPCAPIM-336] Update GitHub Actions to use latest action versions and…#167neil-sproston merged 2 commits intomainfrom
Conversation
… pIn via SHA for improved security
|
|
Deployment Complete
|
There was a problem hiding this comment.
Pull request overview
This PR updates GitHub Actions workflow and composite-action dependencies to newer versions and pins third-party actions to full commit SHAs to improve supply-chain security.
Changes:
- Pinned
actions/checkout,actions/setup-python,actions/upload-artifact,actions/download-artifact, andaws-actions/configure-aws-credentialsto specific SHAs across workflows/composite actions. - Updated a few workflow YAML formatting blocks (e.g.,
needs:formatting) and small comment/metadata tweaks. - Removed large commented-out Trivy blocks in
preview-env.ymland replaced with placeholder security-scanning notes.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/stage-4-acceptance.yaml | Pin actions/checkout to a SHA; minor formatting. |
| .github/workflows/stage-3-build.yaml | Pin actions/checkout to a SHA. |
| .github/workflows/stage-2-test.yaml | Pin checkout/artifact actions to SHAs; reformatted merge-test-coverage.needs. |
| .github/workflows/stage-1-commit.yaml | Pin actions/checkout to a SHA across jobs. |
| .github/workflows/preview-env.yml | Pin checkout + AWS credentials action; replace large commented-out Trivy section with placeholders. |
| .github/workflows/cicd-3-deploy.yaml | Pin actions/checkout and update commented notify action reference to a SHA. |
| .github/workflows/cicd-2-publish.yaml | Pin actions/checkout + release actions to SHAs; minor YAML quoting/comment tweaks. |
| .github/workflows/cicd-1-pull-request.yaml | Pin actions/checkout to a SHA; adjust secrets indentation formatting. |
| .github/workflows/alpha-integration-env.yml | Pin checkout + AWS credentials action to SHAs. |
| .github/actions/setup-python-project/action.yaml | Pin actions/setup-python to a SHA. |
| .github/actions/scan-dependencies/action.yaml | Pin upload-artifact and AWS credentials action to SHAs. |
| .github/actions/create-lines-of-code-report/action.yaml | Pin upload-artifact and AWS credentials action to SHAs. |
| .github/actions/check-python-format/action.yaml | Pin actions/setup-python to a SHA. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -68,7 +68,7 @@ jobs: | |||
| # run: echo "secret_exist=${{ secrets.TEAMS_NOTIFICATION_WEBHOOK_URL != '' }}" >> $GITHUB_OUTPUT | |||
| # - name: "Notify on deployment to an environment" | |||
| # if: steps.check.outputs.secret_exist == 'true' | |||
There was a problem hiding this comment.
Can we just tidy this up by removing the commented out section instead? Always feels bad to keep commented out code since it's in git history anyway.
There was a problem hiding this comment.
This is being done under the re-plumbing exercise that is on-going, this PR is solely to pin to SHA versions.
| - name: "Authenticate to send the report" | ||
| if: steps.check.outputs.secrets_exist == 'true' | ||
| uses: aws-actions/configure-aws-credentials@v2 | ||
| uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 |
There was a problem hiding this comment.
Bit of a picky point, but this is actually still within the 7 day "cooldown" that we ideally want to avoid. Probably worth just waiting until Monday before we merge. It's obviously unlikely to be a problem, but it's easy and means we're doing everything properly.
|
Approving now for merge on Monday |
… pIn via SHA for improved security
Description
Context
Type of changes
Checklist
Sensitive Information Declaration
To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.