New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(presets): pinGitHubActionDigestsToSemver #23663
feat(presets): pinGitHubActionDigestsToSemver #23663
Conversation
Thank you for addressing my feature request! |
@TWiStErRob can you give me new suggestions to resolve the comments? I don't know which suggestions I should apply... 🙈 |
Co-authored-by: Róbert Papp <papp.robert.s@gmail.com>
originally led to this approach by #23577 (comment), i thought i'd try to provide some thoughts from my experience after adding the work-around to my personal preset.
this is from the comment that i linked to above. while i think this specific quote was specifically about including the reference to the workaround alongside the docs for the My goals with digestsmy goal with pinning digests is to make sure that the version of the action referenced in git for a certain commit remains fully repeatable, so that i avoid the situation where a tag could be moved to a different commit. my assumption was that this would still reference specific releases, but adding this rule has helped me recognize that my expectations might not have aligned with the real behaviors. i value the visibility that the version comment adds so that i can understand the current state of things, but i did not expect that the comment might also be driving some behavior. Scenarios with pinned digestsi can think of three scenarios that i've experienced since adding the pinning helper further back than this additional rule.
behavior observations
collecting my thoughtssorry for the lengthy context that somewhat hijacks this thread. happy to be redirected elsewhere if it would be valuable, but seemed related enough to this effort that i thought it would be valuable to start here. what i'm building to is this. i think the addition of this helper will be a great addition. however, i think there might be something lost in thinking about implementing this that might deserve stepping back and considering from a higher level. my goal is to pin the digest for reproducibility and avoid potential attacks because of a tag being moved to a different commit. i still want to see the corresponding version, so the comment is valuable. i want it there always, even if i accidentally remove it. since i'm already pinning to an exact version through the digest, the version comment might as well also be as specific as possible. to tie in the comment from above, i want to clarify that i want the pinning that happens to correspond to real releases, whatever that means. being fully semver compliant is less valuable than aligning to real releases. i dont know the details of the underlying implementation, but i'd love to see the updates be driven by the version comment rather than the digest. when a release happens, i want the version comment to be updated to the most specific available and the digest to align to that released version. i think this proposed helper is a big step in the right direction and i'm eager to add it to some other projects, but i'm hoping that stepping back to consider the goal might help think through how to iterate forward. |
Make pin to SemVer default behavior?
@travi Yes, that comment was about putting a load of text into a @travi It sounds like you want to change the Here's the current code for the {
"packageRules": [
{
"matchDepTypes": [
"action"
],
"pinDigests": true
}
]
} About digest pinning
GitHub recommend that you pin third-party actions to a specific commit, to prevent bad actors from making a malicious release. As an added bonus, pinning to a specific commit also makes your CI more reproducible. About the three states in your commentI'll let one of the maintainer deal with this part, I'm not qualified to talk about the behavior or the code. 😄 About your behavior observations
I guess Renovate doesn't have enough information based on just the commit hash what it should do:
I don't know what happens if Renovate sees a commit hash without the tag comment, right now. I found some relevant text in the
About collecting my thoughts
Agreed.
I like your point of aliging to "real releases"! HonkingGoose's summary of your ideaChecking in to see if I understand your comment correctly. I think this is the short summary of what you want?
Please correct me if I'm wrong! 😉 Footnotes |
What's an example change which this would make? Can someone give me an example of before and after? |
yes, i think there would be value in enabling this behavior by default. it does feel like a best-practice to me. the one detail that i would clarify here is that i think the semver precision is more of a side-effect than the target behavior. i know this is repetitive with the similar point in the "collecting my thoughts" section, so this is just reinforcing that point. i dont fully understand the relationships that renovate is capable of managing, but it seems to me that aligning the comment to the most specific release version available is the best target regardless of whether that is fully semver or not. it is common for github actions to have to tracked versions, one with just the major (vx) and one that is a full semver (vx.y.z). however, some projects choose other patterns like major (vx) and vx.y. in a case like that, using the vx.y is valuable, even though it isnt a full vx.y.z.
#3 is the only one that i'd again possibly question the wording of. like above, i think i'd land somewhere closer to "most specific version available from a real release". i think we are basically saying the same thing, but i think there are real situations where a full semver version doesnt exist in a real release, so i think this rewording mostly helps to define the behavior in the less common scenarios where a full semver release doesnt exist overall, i think you've captured my point well |
if i'm understanding your question correctly, these are examples of the proposed preset making the version comment more specific: in case it is helpful, this is an example of manually re-adding an accidentally removed version comment and the steps renovate currently follows to get back to a good state:
do these examples clarify what you were asking about? |
Thanks, that helps to clarify. The 3 -> 3.1.4 part is what we'd normally refer to as pinning versions, so the "digests" part in the title here threw me off (and maybe needs reconsideration). Let's consider two similar scenarios:
For (1), going from v3 to v3.1.4 does make a difference to future behavior. With v3 alone, you wouldn't get any PR until a v4 is one day released. For (2) you'll get PRs any time the v3 tag is updated to point to a different SHA, which is quite likely to be any time a new semver release comes out (e.g. v3.1.5). So in (2), you are already going to get a Renovate PR approximately every time there's a new semver release anyway and pinning to v3.1.4 does not cause more noise. On the upside, it will allow you to get release notes and more transparency about what version you're using. In other words:
Is the above aligned with your thinking too? |
Somebody should check if the regex that's currently in my PR will do this:
|
using workaround config until renovatebot/renovate#23663 potentially moves forward
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can some examples of this in action be shared?
using workaround config until renovatebot/renovate#23663 potentially moves forward
@rarkins I see that |
@rarkins, I think you're looking for these: org:semantic-release is:pr created:2023-10-23 "update actions".
Weird thing is that this is also after the merge: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure exactly how/why this works, but it's opt-in/optional for users so I'm happy to merge it and let people try it
What remains to resolve this? |
@MPV that mega-thread is probably 3 conversations away from the original which was "resolved" in August: https://github.com/renovatebot/renovate/pull/23663/files#r1299844474, only collaborators and PR author can resolve conversations. I'm lost in all the follow-ups :) Ignoring all the convos, the code make sense in the PR. I disagree with with only supporting vx and vx.y.z, but that was the maintainer's decision, so I have to accept. |
🎉 This PR is included in version 37.119.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
Co-authored-by: Róbert Papp <papp.robert.s@gmail.com>
Co-authored-by: Róbert Papp <papp.robert.s@gmail.com>
Co-authored-by: Róbert Papp <papp.robert.s@gmail.com>
@coderabbitai: ignore
Changes
helpers:pinGitHubActionDigestsToSemver
presetContext
Based on:
vX -> vX.Y.Z
conversion existance #23577Documentation (please check one with an [x])
How I've tested my work (please select one)
I have verified these changes via: