Skip to content

ci(release-dmr): pin actions to commit SHAs, drop 3p release action#1000

Merged
ericcurtin merged 1 commit into
mainfrom
pin-release-dmr-actions
Jul 7, 2026
Merged

ci(release-dmr): pin actions to commit SHAs, drop 3p release action#1000
ericcurtin merged 1 commit into
mainfrom
pin-release-dmr-actions

Conversation

@ericcurtin

Copy link
Copy Markdown
Contributor

What

Pins the four GitHub Actions used by release-dmr.yml to the commit
SHAs already vetted/used elsewhere in this repo (release.yml,
ci.yml, e2e-test.yml, integration-test.yml), and replaces
softprops/action-gh-release@v2 with a gh release create step
matching the pattern release.yml already uses for the model-runner
container image releases.

Why

Pushing the dmr-v0.1.0 tag to trigger the first standalone dmr
release failed immediately:

The actions actions/checkout@v4, actions/setup-go@v5, and
actions/upload-artifact@v4 are not allowed in docker/model-runner
because all actions must be pinned to a full-length commit SHA.

release-dmr.yml was added referencing floating major-version tags
and a third-party release action, neither of which comply with the
org's action-pinning policy that every other workflow in this repo
already follows. No new action pins are introduced here — each SHA
already appears in an existing, presumably-reviewed workflow.

Testing

  • actionlint .github/workflows/release-dmr.yml passes.
  • Re-triggered the dmr-v0.1.0 release via workflow_dispatch after
    this merges to confirm the workflow runs end-to-end (see linked run).

release-dmr.yml used floating major-version tags (actions/checkout@v4,
actions/setup-go@v5, actions/upload-artifact@v4,
actions/download-artifact@v4) and the third-party
softprops/action-gh-release@v2 action. Org policy requires every action
be pinned to a full-length commit SHA, so pushing the dmr-v0.1.0 tag
failed immediately with 'actions must be pinned to a full-length commit
SHA' before a single build step ran.

Pin the four actions to the same commit SHAs already used elsewhere in
this repo (release.yml, ci.yml, e2e-test.yml, integration-test.yml) so
there is a single already-vetted pin per action instead of introducing
new ones. Replace softprops/action-gh-release with a 'gh release
create' step, matching the pattern release.yml already uses for the
model-runner container image releases, so we don't need to pin/vet a
new third-party action just for this workflow.
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've reviewed your changes and they look great!


Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@ericcurtin ericcurtin merged commit d62a635 into main Jul 7, 2026
14 checks passed
@ericcurtin ericcurtin deleted the pin-release-dmr-actions branch July 7, 2026 14:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants