Update workflow actions#52
Conversation
There was a problem hiding this comment.
Pull request overview
Updates GitHub Actions workflow dependencies used by CI and the GHCR release pipeline.
Changes:
- Bumps
actions/checkoutandactions/setup-dotnetversions in CI and release workflows. - Pins several Docker-related actions in the GHCR release workflow to specific commit SHAs.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| .github/workflows/release-ghcr.yml | Updates checkout/setup-dotnet versions and pins Docker actions to SHAs for the GHCR release workflow. |
| .github/workflows/ci.yml | Updates checkout/setup-dotnet versions across CI jobs. |
| - uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Set up dotnet | ||
| uses: actions/setup-dotnet@v4 | ||
| uses: actions/setup-dotnet@v5 | ||
| with: | ||
| dotnet-version: '10.x' |
There was a problem hiding this comment.
actions/checkout and actions/setup-dotnet are referenced by moving version tags here, while other actions in this workflow are pinned to immutable commit SHAs. For supply-chain security and reproducibility, pin these actions to specific commit SHAs as well (and keep them updated via Dependabot).
| - uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v3 | ||
| uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a |
There was a problem hiding this comment.
This job pins the Docker actions to commit SHAs but leaves actions/checkout on a moving tag. Pin actions/checkout to a commit SHA too so the full release pipeline is reproducible and less susceptible to upstream tag movement.
| - uses: actions/checkout@v6 | ||
| - name: Set up dotnet | ||
| uses: actions/setup-dotnet@v4 | ||
| uses: actions/setup-dotnet@v5 | ||
| with: | ||
| dotnet-version: '10.x' |
There was a problem hiding this comment.
These workflow actions are referenced via moving version tags. For supply-chain security and to make CI runs reproducible, pin actions/checkout and actions/setup-dotnet to commit SHAs (similar to how other workflows pin third-party actions).
| - uses: actions/checkout@v6 | ||
| - name: Set up dotnet | ||
| uses: actions/setup-dotnet@v4 | ||
| uses: actions/setup-dotnet@v5 | ||
| with: | ||
| dotnet-version: '10.x' |
There was a problem hiding this comment.
These workflow actions are referenced via moving version tags. Pin actions/checkout and actions/setup-dotnet to commit SHAs so integration test runs are reproducible and less exposed to upstream tag changes.
| - uses: actions/checkout@v6 | ||
| - name: Set up dotnet | ||
| uses: actions/setup-dotnet@v4 | ||
| uses: actions/setup-dotnet@v5 | ||
| with: | ||
| dotnet-version: '10.x' |
There was a problem hiding this comment.
These workflow actions are referenced via moving version tags. Pin actions/checkout and actions/setup-dotnet to commit SHAs (and keep them updated) to avoid unexpected CI breakages when upstream tags move.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v6 |
There was a problem hiding this comment.
actions/checkout is referenced by a moving version tag here. Consider pinning it to a commit SHA for CI reproducibility/supply-chain hardening, consistent with the approach used for other actions in this repo.
No description provided.