Pin GitHub Actions#316
Conversation
e1a5550 to
6f03238
Compare
krisztianfekete
left a comment
There was a problem hiding this comment.
Thanks for the PR, I am not able to find 3 SHAs, can you please check those?
| steps: | ||
| - name: Install Protoc | ||
| uses: arduino/setup-protoc@v1 | ||
| uses: arduino/setup-protoc@f4d5893b897028ff5739576ea0409746887fa536 # v3.0.0 |
There was a problem hiding this comment.
Hm, where is this SHA coming from? I can see a different one for v3.0.0.
There was a problem hiding this comment.
Hmm, my script for this pulls from the github releases API. Let me see why this is a weird SHA.
There was a problem hiding this comment.
Wat?
$ gh api "repos/arduino/setup-protoc/git/ref/tags/v3.0.0"
{
"ref": "refs/tags/v3.0.0",
"node_id": "MDM6UmVmMjE2Nzk3NDU4OnJlZnMvdGFncy92My4wLjA=",
"url": "https://api.github.com/repos/arduino/setup-protoc/git/refs/tags/v3.0.0",
"object": {
"sha": "f4d5893b897028ff5739576ea0409746887fa536",
"type": "tag",
"url": "https://api.github.com/repos/arduino/setup-protoc/git/tags/f4d5893b897028ff5739576ea0409746887fa536"
}
}
There was a problem hiding this comment.
Weird, it seems like the tag SHA is different from the commit SHA?
{
"node_id": "TA_kwDODOwREtoAKGY0ZDU4OTNiODk3MDI4ZmY1NzM5NTc2ZWEwNDA5NzQ2ODg3ZmE1MzY",
"sha": "f4d5893b897028ff5739576ea0409746887fa536",
"url": "https://api.github.com/repos/arduino/setup-protoc/git/tags/f4d5893b897028ff5739576ea0409746887fa536",
"tagger": {
"name": "Alessio Perugini",
"email": "alessioper.98@gmail.com",
"date": "2024-01-31T16:07:01Z"
},
"object": {
"sha": "c65c819552d16ad3c9b72d9dfd5ba5237b9c906b",
"type": "commit",
"url": "https://api.github.com/repos/arduino/setup-protoc/git/commits/c65c819552d16ad3c9b72d9dfd5ba5237b9c906b"
},
"tag": "v3.0.0",
"message": "v3.0.0\n-----BEGIN SSH SIGNATURE-----\nU1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgoNtlU6pK7Wh241mMrnFjDlk+OR\nS2JujVZ/sAQOKKylYAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5\nAAAAQHPo4pLagVKEc/TfXrhbtRZL8lEPVjVUnvH8nlbEGnmNXSCAZqjF2A39XbbSyQN46F\njVJyhvQqcN2oWHmDBrnAM=\n-----END SSH SIGNATURE-----\n",
"verification": {
"verified": true,
"reason": "valid",
"signature": "-----BEGIN SSH SIGNATURE-----\nU1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgoNtlU6pK7Wh241mMrnFjDlk+OR\nS2JujVZ/sAQOKKylYAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5\nAAAAQHPo4pLagVKEc/TfXrhbtRZL8lEPVjVUnvH8nlbEGnmNXSCAZqjF2A39XbbSyQN46F\njVJyhvQqcN2oWHmDBrnAM=\n-----END SSH SIGNATURE-----\n",
"payload": "object c65c819552d16ad3c9b72d9dfd5ba5237b9c906b\ntype commit\ntag v3.0.0\ntagger Alessio Perugini \u003Calessioper.98@gmail.com\u003E 1706717221 +0100\n\nv3.0.0\n",
"verified_at": "2024-11-06T14:52:49Z"
}
}```
There was a problem hiding this comment.
$ git clone https://github.com/arduino/setup-protoc.git
$ cd setup-protoc
$ git show-ref --tags
...
e58d94cc5c94a8e49c8b747feac4b1c17f199561 refs/tags/v2.0.0
9389d971368b9729ed1c0c6d988ecff2a19a5c82 refs/tags/v2.1.0
f4d5893b897028ff5739576ea0409746887fa536 refs/tags/v3.0.0
Seems legit?
There was a problem hiding this comment.
Ahh, I see now. Those 3 aren't the actual commits but the tag/release objects. Your script probably looks up refs/tags/vX, and for a tag that ref points at a tag object not the commit, so one hop might be missing?
The actions/* ones are tags that point to the commits directly, so this seems to be the reason why these were weird.
Can we change to commit SHAs for these 3 as well to keep it consistent and make it easy for users to look up what we pin?
There was a problem hiding this comment.
Yup, exactly, it goes off the release tag.
I can change this, but I can't say for sure what Dependabot will do when it updates things.
| - uses: actions/checkout@v2 | ||
| - uses: actions-rs/toolchain@v1 | ||
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
| - uses: actions-rs/toolchain@56751392ac172fc3a68fef1413f507767ed5f563 # v1.0.6 |
There was a problem hiding this comment.
Cannot find this SHA either in the original repository.
There was a problem hiding this comment.
FYI, I noticed this action is archived. Might be worth looking into a replacement.
| key: cargo-index-${{ hashFiles('Cargo.toml') }} | ||
|
|
||
| - uses: actions-rs/cargo@v1 | ||
| - uses: actions-rs/cargo@b0651d9f4d4983fd4cc8e94d927bdc0bb5566667 # v1.0.1 |
There was a problem hiding this comment.
Cannot find this SHA either in the original repository.
There was a problem hiding this comment.
Same with this one, it's archived.
Pin GitHub actions for supply chain security. * Mark dependabot config to be skipped by repo sync. Signed-off-by: SuperQ <superq@gmail.com>
6f03238 to
5f6871e
Compare
Pin GitHub actions for supply chain security.