Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update action hashes in recipe #946

Closed
pnacht opened this issue Sep 21, 2022 · 7 comments
Closed

Update action hashes in recipe #946

pnacht opened this issue Sep 21, 2022 · 7 comments

Comments

@pnacht
Copy link
Contributor

pnacht commented Sep 21, 2022

The Scorecard Action recipe relies on a few different GitHub Actions:

uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0
uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26

These Actions all have newer versions

uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
uses: github/codeql-action/upload-sarif@904260d7d935dff982205cbdb42025ce30b7a34f # tag=v2.1.24

I've already tried the updated checkout and upload-artifact versions and they work just fine. checkout seems to have mostly bumped up a few npm package versions (changelog). upload-artifact added checksums to reduce file corruption issues which apparently happen from time to time (changelog).

The codeql-action has multiple new versions, and has had a major-version increase to v2. v1 will be deprecated as of December 2022, a warning I've seen displayed... somewhere while setting up the Action. I have not yet checked whether there are any breaking changes between v1 and v2 for codeql-action/upload-sarif.
@naveensrinivasan
Copy link
Member

These are automatically upgraded by dependabot. Thanks!

@azeemshaikh38
Copy link
Contributor

Thanks for the report @pnacht. For this issue and #945 I think the starter workflow needs to be updated. You mentioned you'd be willing to send a PR, so I'll take you up on that :) If you could update the starter workflow template here that should fix both #945 and this issue.

@pnacht
Copy link
Contributor Author

pnacht commented Sep 21, 2022
edited

Sure thing @azeemshaikh38. One question, though: is there some recommended means to test GHAs? I'm especially concerned regarding the codeql-action, since it had a major version upgrade and so might have breaking changes. I haven't seen anything relevant on the changelog, but still. I could just try it on one repo and see if it works, but that doesn't sound right.

@azeemshaikh38
Copy link
Contributor

azeemshaikh38 commented Sep 21, 2022
edited

We have e2e tests setup for the GHA - https://github.com/ossf-tests/scorecard-action/blob/main/.github/workflows/scorecards-latest-release.yml. Do you want to test your updates there first?

@pnacht
Copy link
Contributor Author

pnacht commented Sep 21, 2022
edited

Yeah, that sounds safer. Should I just write a PR modifying that test and see if it crashes? Do I even need to submit the PR or can I just run my own fork (with my own SCORECARD_READ_TOKEN)?

@azeemshaikh38
Copy link
Contributor

Hmm, upto you really. Making a PR would help us keep our e2e tests more up-to-date. But if that's too much work, feel free to skip and just test locally.

This was referenced Oct 10, 2022
Closed
Merged
@pnacht
Copy link
Contributor Author

pnacht commented Nov 17, 2022
edited

Resolved by actions/starter-workflows#1775.

@pnacht pnacht closed this as completed Nov 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@naveensrinivasan @azeemshaikh38 @pnacht