Pin+update Github Actions, add dependabot config for action updates #568
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The current Github actions used in the test and build workflow are outdated and cause the following warnings: * The following actions uses Node.js version which is deprecated and will be forced to run on node20: actions/checkout@v3, actions/setup-python@v4, actions/upload-artifact@v3 * The following artifacts were uploaded using a version of actions/upload-artifact that is scheduled for deprecation: "ci-artifacts" see e.g. https://github.com/SeedSigner/seedsigner/actions/runs/9842707509 This PR therefore updates all actions and additionally pins them to their exact git sha1 (with human readable version as comment). This is done for security reasons as plain versions are git tags and thus are mutable = can influence the workflow outcome if manipulated. see also https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions An added dependabot config helps to keep those actions up-to-date and makes it much easier as no person has to deal with manually updating action sha1s. Merging this PR results in the creation of automatic update PRs by dependebot as can be seen here #8
dbast
commented
Jul 9, 2024
| with: | ||
| name: seedsigner_os_images | ||
| name: seedsigner_os_images_${{ matrix.target }} |
There was a problem hiding this comment.
due to API change, each upload from the matrix (Python 3.10, 3.12) requires a different name
dbast
commented
Jul 9, 2024
| with: | ||
| name: seedsigner_os_images |
There was a problem hiding this comment.
Required to download all differently named uploads from the same workflow run.
dbast
commented
Jul 9, 2024
| @@ -145,12 +144,12 @@ jobs: | |||
| - name: write sha256sum | |||
| run: | | |||
| cd images | |||
| sha256sum *.img > seedsigner_os.${{ env.source_hash }}.sha256 | |||
| find . -name "*.img" -print0 | xargs -0 cat | sha256sum | tee seedsigner_os.${{ env.source_hash }}.sha256 | |||
There was a problem hiding this comment.
Required as all downloads end up in different subfolders
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The current Github actions used in the test and build workflow are outdated and cause the following warnings:
see e.g. https://github.com/SeedSigner/seedsigner/actions/runs/9842707509
This PR therefore updates all actions and additionally pins them to their exact git sha1 (with human readable version as comment). This is done for security reasons as plain versions are git tags and thus are mutable = can influence the workflow outcome if manipulated.
see also https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
An added dependabot config helps to keep those actions up-to-date and makes it much easier as no person has to deal with manually updating action sha1s. Merging this PR results in the creation of automatic update PRs by dependebot as can be seen here dbast#8
Description
Describe the change simply. Provide a reason for the change.
Include screenshots of any new or modified screens (or at least explain why they were omitted)
This pull request is categorized as a:
Checklist
pytestand made sure all unit tests pass before sumbitting the PRIf you modified or added functionality/workflow, did you add new unit tests?
I have tested this PR on the following platforms/os:
Note: Keep your changes limited in scope; if you uncover other issues or improvements along the way, ideally submit those as a separate PR. The more complicated the PR the harder to review, test, and merge.