Skip to content

chore: Set release-please project type #121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jsonbailey merged 1 commit into from
Jun 2, 2025
Merged

chore: Set release-please project type #121

jsonbailey merged 1 commit into from
Jun 2, 2025

Conversation

@jsonbailey
Copy link
Contributor

@jsonbailey jsonbailey commented Jun 2, 2025

No description provided.

@jsonbailey jsonbailey requested a review from a team as a code owner June 2, 2025 14:46
@jsonbailey jsonbailey merged commit f18da8a into main Jun 2, 2025
20 of 22 checks passed
@jsonbailey jsonbailey deleted the jb/set-release-please-types branch June 2, 2025 14:47
semgrep-code-launchdarkly[bot]
semgrep-code-launchdarkly bot reviewed Jun 2, 2025
View reviewed changes
.github/workflows/release-please.yml

steps:
- uses: google-github-actions/release-please-action@v4
- uses: googleapis/release-please-action@v4
Copy link

@semgrep-code-launchdarkly semgrep-code-launchdarkly bot Jun 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

To resolve this comment:

✨ Commit Assistant fix suggestion

Suggested change
- uses: googleapis/release-please-action@v4
# Pinned to release-please-action v4.1.3 (latest v4 as of 2024-06-19) full commit SHA for security.
- uses: googleapis/release-please-action@e4a25f5d3b35603cdb70b79679d3f42b8415fafe
View step-by-step instructions
  1. Go to the official googleapis/release-please-action GitHub repository and find the latest commit SHA for the v4 branch or tag: https://github.com/googleapis/release-please-action/commits/v4
  2. Copy the full 40-character commit SHA for the latest desired release.
  3. Update the uses: line from googleapis/release-please-action@v4 to googleapis/release-please-action@<full-commit-sha>, replacing <full-commit-sha> with the value you copied.
    For example: uses: googleapis/release-please-action@e4a25f5d3b35603cdb70b79679d3f42b8415fafe
  4. Save your changes.

Pinning actions to a full commit SHA ensures that your workflow will always use exactly the same version of the action code, even if the branch or release tag is moved or changed later.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by third-party-action-not-pinned-to-commit-sha.

You can view more details about this finding in the Semgrep AppSec Platform.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@keelerm84 keelerm84 keelerm84 approved these changes

+1 more reviewer

@semgrep-code-launchdarkly semgrep-code-launchdarkly[bot] semgrep-code-launchdarkly[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jsonbailey @keelerm84