-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GH-36898: [CI] Hashpin Sensitive GitHub Actions #37676
GH-36898: [CI] Hashpin Sensitive GitHub Actions #37676
Conversation
For security reasons, it hashpins the calls for github actions that are called with sensitive permission (usually `pull-requests: write`) or with secrets used on the same context. I'm not hashpinning all action calls because the tag-pinning flexibility can be useful if used with caution, e.g. in testing environment. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
|
Noticed that you have bumped some version at the time I was working on this. I'm working to resolve the conflicts |
Solves the merge conflicts caused by bump of actions/checkout from v3 to v4 Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
Ah sorry I missed this PR... I will check it out. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your contribution 🚀
I checked the commits for each version and they match up. Some have already released new minor versions but I am intentionally not updating those as a test for dependabot.
(CI failures are unrelated)
### Rationale for this change Explained on issue apache#36898 ### What changes are included in this PR? For security reasons, it hashpins the calls for github actions that are called with sensitive permission (usually `pull-requests: write`) or with secrets used on the same context. I'm not hashpinning every action call because the tag-pinning flexibility can be useful if used with caution, e.g. in testing environment. ### Are these changes tested? Not tested, but the changes on this PR shouldn't change any comportment of the CI, as we'd still be using the exact same version, but pinned differently. ### Are there any user-facing changes? No * Closes: apache#36898 Authored-by: Diogo Teles Sant'Anna <diogoteles@google.com> Signed-off-by: Jacob Wujciak-Jens <jacob@wujciak.de>
After merging your PR, Conbench analyzed the 5 benchmarking runs that have been run so far on merge-commit 91b642a. There were no benchmark performance regressions. 🎉 The full Conbench report has more details. It also includes information about 3 possible false positives for unstable benchmarks that are known to sometimes produce them. |
### Rationale for this change Explained on issue apache#36898 ### What changes are included in this PR? For security reasons, it hashpins the calls for github actions that are called with sensitive permission (usually `pull-requests: write`) or with secrets used on the same context. I'm not hashpinning every action call because the tag-pinning flexibility can be useful if used with caution, e.g. in testing environment. ### Are these changes tested? Not tested, but the changes on this PR shouldn't change any comportment of the CI, as we'd still be using the exact same version, but pinned differently. ### Are there any user-facing changes? No * Closes: apache#36898 Authored-by: Diogo Teles Sant'Anna <diogoteles@google.com> Signed-off-by: Jacob Wujciak-Jens <jacob@wujciak.de>
### Rationale for this change Explained on issue apache#36898 ### What changes are included in this PR? For security reasons, it hashpins the calls for github actions that are called with sensitive permission (usually `pull-requests: write`) or with secrets used on the same context. I'm not hashpinning every action call because the tag-pinning flexibility can be useful if used with caution, e.g. in testing environment. ### Are these changes tested? Not tested, but the changes on this PR shouldn't change any comportment of the CI, as we'd still be using the exact same version, but pinned differently. ### Are there any user-facing changes? No * Closes: apache#36898 Authored-by: Diogo Teles Sant'Anna <diogoteles@google.com> Signed-off-by: Jacob Wujciak-Jens <jacob@wujciak.de>
Rationale for this change
Explained on issue #36898
What changes are included in this PR?
For security reasons, it hashpins the calls for github actions that are called with sensitive permission (usually
pull-requests: write
) or with secrets used on the same context. I'm not hashpinning every action call because the tag-pinning flexibility can be useful if used with caution, e.g. in testing environment.Are these changes tested?
Not tested, but the changes on this PR shouldn't change any comportment of the CI, as we'd still be using the exact same version, but pinned differently.
Are there any user-facing changes?
No