-
Notifications
You must be signed in to change notification settings - Fork 207
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #3027 from ericpre/pin_third_party_github_actions
Pin third party GitHub actions
- Loading branch information
Showing
6 changed files
with
39 additions
and
30 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
.. _maintenance-label: | ||
|
||
Maintenance | ||
=========== | ||
|
||
GitHub Workflows | ||
^^^^^^^^^^^^^^^^ | ||
|
||
`GitHub workflows <https://github.com/hyperspy/hyperspy/actions>`_ are used to: | ||
|
||
* run the test suite | ||
* build packages and upload to pypi and GitHub release | ||
* build the documentation and check the links | ||
|
||
Some of these workflow need to access `GitHub "secrets" <https://docs.github.com/en/actions/security-guides/encrypted-secrets>`_, | ||
which are private to the HyperSpy repository, in order to be able to upload to pypi or the | ||
`GITHUB_TOKEN <https://docs.github.com/en/actions/security-guides/automatic-token-authentication>`_ | ||
to push code to the other branches. | ||
To reduce the risk that these "secrets" are made accessible publicly, for example, through the | ||
injection of malicious code by third parties in one of the GitHub workflows used in the HyperSpy | ||
organisation, the third party actions (those that are not provided by established trusted parties) | ||
are pinned to the ``SHA`` of a specific commit, which is trusted not to contain malicious code. | ||
|
||
Updating GitHub Actions | ||
^^^^^^^^^^^^^^^^^^^^^^^ | ||
|
||
The workflows in the HyperSpy repository use GitHub actions provided by established trusted parties | ||
and third parties. They are updated regularly by the | ||
`dependabot <https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates>`_ | ||
in pull requests. | ||
|
||
When updating a third party action, the action has to be pinned using the ``SHA`` of the commit of | ||
the updated version and the corresponding code changes will need to be reviewed to verify that it | ||
doesn't include malicious code. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Pin third party GitHub actions and add maintenance guidelines on how to update them |