Update all actions we use in our workflows to pull from specific pinned commits#1305
Update all actions we use in our workflows to pull from specific pinned commits#1305
Conversation
|
|
||
| - name: Annotate code linting results | ||
| uses: ataylorme/eslint-annotate-action@1.2.0 | ||
| uses: ataylorme/eslint-annotate-action@5f4dc2e3af8d3c21b727edb597e5503510b1dc9c # v2.2.0 |
There was a problem hiding this comment.
Looks like some interesting updates in the 3.0.0 release, but definitely a concern for a different day/PR
There was a problem hiding this comment.
Yeah... I debated going to 3.0.0 but with the noted breaking changes there, decided it might be better to handle that separately (though it may just work without any needed changes on our end)
jeffpaul
left a comment
jeffpaul
left a comment
There was a problem hiding this comment.
Looks good, thanks for handling these so quickly!
|
Some E2E failures here but does not seem related to the changes in this PR. I think I may wait until #1302 gets merged in (as that PR fixes some existing failures) to see if that fixes things here |
|
Decided to go ahead and merge this in instead of waiting on #1302 so we can have these changes in place if anyone asks about it. Nothing here should impact if E2E tests pass or not so no real need to wait |
3 participants
Description of the Change
In order to help protect against compromised actions, instead of including actions based on their major version (like v4), this PR switches all the actions we use to pull based on the commit hash from the latest release.
While this does impact maintenance a bit going forward, it ensures that we we're always using actions that we (hopefully) trust and if an action gets compromised (which happens) we don't have to worry that we're using a compromised action. This also goes along with what GitHub suggests.
How to test the Change
Ensure all our workflows still run as expected
Changelog Entry
Credits
Props @dkotter, @jeffpaul
Checklist: