Merge pull request #3027 from ericpre/pin_third_party_github_actions

Pin third party GitHub actions

.github/workflows/nightly-merge.yml

@@ -15,7 +15,7 @@ jobs:
       uses: actions/checkout@v2
 
     - name: Nightly Merge
-      uses: robotology/gh-action-nightly-merge@v1.3.3
+      uses: robotology/gh-action-nightly-merge@22f5e45d028f22837d617fa07512925457eec184
       with:
         stable_branch: 'RELEASE_next_patch'
         development_branch: 'RELEASE_next_minor'

.github/workflows/release.yml

@@ -21,12 +21,10 @@ jobs:
         uses: actions/checkout@v3
       - name: Create Release
         id: create_release
-        uses: actions/create-release@v1
+        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions
         with:
-          tag_name: ${{ github.ref }}
-          release_name: Release ${{ github.ref }}
           draft: false
           prerelease: false
 
@@ -111,7 +109,7 @@ jobs:
           python -m build --sdist
 
       - name: Build manylinux Python wheels
-        uses: RalfG/python-wheels-manylinux-build@v0.4.2
+        uses: RalfG/python-wheels-manylinux-build@c244013d850d8df62e9c7dd3ddab0cc581308de6
         with:
           python-versions: 'cp37-cp37m cp38-cp38 cp39-cp39 cp310-cp310'
           build-requirements: 'cython'

doc/dev_guide/maintenance.rst

@@ -0,0 +1,34 @@
+.. _maintenance-label:
+
+Maintenance
+===========
+
+GitHub Workflows
+^^^^^^^^^^^^^^^^
+
+`GitHub workflows <https://github.com/hyperspy/hyperspy/actions>`_ are used to:
+
+ * run the test suite
+ * build packages and upload to pypi and GitHub release
+ * build the documentation and check the links
+
+Some of these workflow need to access `GitHub "secrets" <https://docs.github.com/en/actions/security-guides/encrypted-secrets>`_,
+which are private to the HyperSpy repository, in order to be able to upload to pypi or the
+`GITHUB_TOKEN <https://docs.github.com/en/actions/security-guides/automatic-token-authentication>`_
+to push code to the other branches.
+To reduce the risk that these "secrets" are made accessible publicly, for example, through the
+injection of malicious code by third parties in one of the GitHub workflows used in the HyperSpy
+organisation, the third party actions (those that are not provided by established trusted parties)
+are pinned to the ``SHA`` of a specific commit, which is trusted not to contain malicious code.
+
+Updating GitHub Actions
+^^^^^^^^^^^^^^^^^^^^^^^
+
+The workflows in the HyperSpy repository use GitHub actions provided by established trusted parties
+and third parties. They are updated regularly by the
+`dependabot <https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates>`_
+in pull requests.
+
+When updating a third party action, the action has to be pinned using the ``SHA`` of the commit of
+the updated version and the corresponding code changes will need to be reviewed to verify that it
+doesn't include malicious code.

doc/index.rst

@@ -47,6 +47,7 @@ Welcome to HyperSpy's documentation!
    dev_guide/speeding_up_code.rst
    dev_guide/writing_extensions.rst
    dev_guide/useful_information.rst
+   dev_guide/maintenance.rst
 
 .. toctree::
    :maxdepth: 2

upcoming_changes/3027.maintenance.rst

@@ -0,0 +1 @@
+Pin third party GitHub actions and add maintenance guidelines on how to update them