Pin versions of 3rd-party actions and GitHub runners#41
Pin versions of 3rd-party actions and GitHub runners#41NoureldinYosri merged 8 commits intoquantumlib:mainfrom
Conversation
Google security best practices recommend the use of specific runner operating system versions instead of "-latest". (Internal documentation link: go/github-actions#actions)
Google's terms for allowing the use of GitHub Actions on Google-owned repositories requires that third-party actions be referenced using a specific commit, not a tagged release or a branch name. (Internal doc link: go/github-actions#actions) The version numbers in this commit were obtained using [frizbee](https://github.com/stacklok/frizbee).
NoureldinYosri
left a comment
NoureldinYosri
left a comment
There was a problem hiding this comment.
thanks @mhucka, but the changes seem to make the CI unable to start
|
I think I see the problem: name: Build and Test
on: [push]I'm surprised this hasn't come up before. For CI checks, CI workflows normally need If using merge queues, it also needs a Here's what I've been using for the other repos: on:
pull_request:
types: [opened, synchronize]
branches:
- master
merge_group:
types:
- checks_requested
# Allow manual invocation.
workflow_dispatch:The If you like these settings, I can either modify this PR or make a new one just for the trigger changes. (Let me know which approach you prefer.) |
2 participants
Google's terms for allowing the use of GitHub Actions on Google-owned repositories requires that third-party actions be referenced using a specific commit, not a tagged release or a branch name. They also recommend that GitHub-hosted runners be referenced by fixed versions and not "-latest". (Internal doc link: go/github-actions#actions)
The SHAs for GitHub Actions in this commit were obtained using frizbee. The runner versions equivalent to the "-latest" runners are based on the table at https://github.com/actions/runner-images