Add GitHub Actions workflow for automated testing and Dependabot configuration #50
Conversation
…iguration - Add test.yml workflow that runs Django tests on push and PR to main - Add Dependabot to automatically update GitHub Actions weekly
|
Hello @lwasser , this is the final PR to add a simple workflow to run tests and Dependabot. I used older versions of the actions so I can see what Dependabot does later😅 |
.github/workflows/test.yml
Outdated
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up Python 3.12 | ||
| uses: actions/setup-python@v5 |
There was a problem hiding this comment.
@Phinart98 , your pr looks excellent, and we can merge as is, but I want to show you one small thing that is actually important to know about for security.
The way you set up actions is CORRECT! BUT it's more SECURE if you use the entire HASH in each action step - see a PR I made recently that updates this piece here:
https://github.com/pyOpenSci/pyosMeta/pull/313/files
The cool thing is that once you set this up, Dependabot will update the actual hash as well.
The reason why you do this is that a hash to a commit is immutable - it can't be changed. BUT it is possible to change a release value, eg, 5.0 could be modified to point to a different commit. This makes the workflow vulnerable to security breaches. I am going to update this workflow for you. And then I'll ping you when Dependabot updates it for us to a newer version. (I also need to see if Dependabot os setup here, it may not be)
.github/dependabot.yml
Outdated
| - package-ecosystem: "github-actions" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "weekly" |
There was a problem hiding this comment.
You will find that if the repo is SUPER ACTIVE and you are only managing 1, that weekly is ok. But generally, monthly is easier to keep up with - ESPECIALLY if you maintain a lot of different repos.
|
I've also enabled dependabot in the repository. In github if you go to security, within the repository settings, you'll see several dependabot settings. https://github.com/pyOpenSci/pyopensci-django/settings/security_analysis I turned on dependabot and grouping, etc there! You just hit "enable" to turn things on. then the .dependabot file that you included as well can be used to manage more detailed settings about how and when it runs. For instance, we could use it as well to keep our Python dependencies up to date too. I prefer to manage Python dependencies manually myself, so I never turn that on. Especially since we can use UV to do it now! Your settings here are perfect! |
|
Thank you so much for this. I remember you mentioning the hashing issue on one of our calls😅. I'll look into this properly and make sure I follow this pattern going foward! |
2 participants
closes #38