GH-36898: [CI] Hashpin Sensitive GitHub Actions #37676
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
For security reasons, it hashpins the calls for github actions that are called with sensitive permission (usually `pull-requests: write`) or with secrets used on the same context. I'm not hashpinning all action calls because the tag-pinning flexibility can be useful if used with caution, e.g. in testing environment. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
diogoteles08
requested review from
assignUser,
kou and
raulcd
as code owners
|
|
|
Noticed that you have bumped some version at the time I was working on this. I'm working to resolve the conflicts |
Solves the merge conflicts caused by bump of actions/checkout from v3 to v4 Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
|
Ah sorry I missed this PR... I will check it out. |
assignUser
approved these changes
Oct 25, 2023
github-actions
bot
added
awaiting committer review
JerAguilon
pushed a commit
to JerAguilon/arrow
that referenced
this pull request
Oct 25, 2023
### Rationale for this change Explained on issue apache#36898 ### What changes are included in this PR? For security reasons, it hashpins the calls for github actions that are called with sensitive permission (usually `pull-requests: write`) or with secrets used on the same context. I'm not hashpinning every action call because the tag-pinning flexibility can be useful if used with caution, e.g. in testing environment. ### Are these changes tested? Not tested, but the changes on this PR shouldn't change any comportment of the CI, as we'd still be using the exact same version, but pinned differently. ### Are there any user-facing changes? No * Closes: apache#36898 Authored-by: Diogo Teles Sant'Anna <diogoteles@google.com> Signed-off-by: Jacob Wujciak-Jens <jacob@wujciak.de>
|
After merging your PR, Conbench analyzed the 5 benchmarking runs that have been run so far on merge-commit 91b642a. There were no benchmark performance regressions. 🎉 The full Conbench report has more details. It also includes information about 3 possible false positives for unstable benchmarks that are known to sometimes produce them. |
loicalleyne
pushed a commit
to loicalleyne/arrow
that referenced
this pull request
Nov 13, 2023
### Rationale for this change Explained on issue apache#36898 ### What changes are included in this PR? For security reasons, it hashpins the calls for github actions that are called with sensitive permission (usually `pull-requests: write`) or with secrets used on the same context. I'm not hashpinning every action call because the tag-pinning flexibility can be useful if used with caution, e.g. in testing environment. ### Are these changes tested? Not tested, but the changes on this PR shouldn't change any comportment of the CI, as we'd still be using the exact same version, but pinned differently. ### Are there any user-facing changes? No * Closes: apache#36898 Authored-by: Diogo Teles Sant'Anna <diogoteles@google.com> Signed-off-by: Jacob Wujciak-Jens <jacob@wujciak.de>
dgreiss
pushed a commit
to dgreiss/arrow
that referenced
this pull request
Feb 19, 2024
### Rationale for this change Explained on issue apache#36898 ### What changes are included in this PR? For security reasons, it hashpins the calls for github actions that are called with sensitive permission (usually `pull-requests: write`) or with secrets used on the same context. I'm not hashpinning every action call because the tag-pinning flexibility can be useful if used with caution, e.g. in testing environment. ### Are these changes tested? Not tested, but the changes on this PR shouldn't change any comportment of the CI, as we'd still be using the exact same version, but pinned differently. ### Are there any user-facing changes? No * Closes: apache#36898 Authored-by: Diogo Teles Sant'Anna <diogoteles@google.com> Signed-off-by: Jacob Wujciak-Jens <jacob@wujciak.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Rationale for this change
Explained on issue #36898
What changes are included in this PR?
For security reasons, it hashpins the calls for github actions that are called with sensitive permission (usually
pull-requests: write) or with secrets used on the same context. I'm not hashpinning every action call because the tag-pinning flexibility can be useful if used with caution, e.g. in testing environment.Are these changes tested?
Not tested, but the changes on this PR shouldn't change any comportment of the CI, as we'd still be using the exact same version, but pinned differently.
Are there any user-facing changes?
No