New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update action hashes in recipe #946
Comments
These are automatically upgraded by dependabot. Thanks! |
Thanks for the report @pnacht. For this issue and #945 I think the starter workflow needs to be updated. You mentioned you'd be willing to send a PR, so I'll take you up on that :) If you could update the starter workflow template here that should fix both #945 and this issue. |
Sure thing @azeemshaikh38. One question, though: is there some recommended means to test GHAs? I'm especially concerned regarding the codeql-action, since it had a major version upgrade and so might have breaking changes. I haven't seen anything relevant on the changelog, but still. I could just try it on one repo and see if it works, but that doesn't sound right. |
We have e2e tests setup for the GHA - https://github.com/ossf-tests/scorecard-action/blob/main/.github/workflows/scorecards-latest-release.yml. Do you want to test your updates there first? |
Yeah, that sounds safer. Should I just write a PR modifying that test and see if it crashes? Do I even need to submit the PR or can I just run my own fork (with my own SCORECARD_READ_TOKEN)? |
Hmm, upto you really. Making a PR would help us keep our e2e tests more up-to-date. But if that's too much work, feel free to skip and just test locally. |
Resolved by actions/starter-workflows#1775. |
The Scorecard Action recipe relies on a few different GitHub Actions:
These Actions all have newer versions
I've already tried the updated
checkout
andupload-artifact
versions and they work just fine.checkout
seems to have mostly bumped up a few npm package versions (changelog).upload-artifact
added checksums to reduce file corruption issues which apparently happen from time to time (changelog).The
codeql-action
has multiple new versions, and has had a major-version increase to v2. v1 will be deprecated as of December 2022, a warning I've seen displayed... somewhere while setting up the Action. I have not yet checked whether there are any breaking changes between v1 and v2 forcodeql-action/upload-sarif
.The text was updated successfully, but these errors were encountered: