ci: fully hash-pin/qualify all actions with pinact #2780
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: William Woodruff <william@yossarian.net>
Signed-off-by: William Woodruff <william@yossarian.net>
Signed-off-by: William Woodruff <william@yossarian.net>
Signed-off-by: William Woodruff <william@yossarian.net>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2780 +/- ##
==========================================
- Coverage 80.12% 80.12% -0.01%
==========================================
Files 113 113
Lines 26167 26167
==========================================
- Hits 20967 20966 -1
- Misses 5200 5201 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi there! Thanks for creating and maintaining
cargo neatest! I'm a happy user, both at work and in my own projects 🙂This PR uses pinact to improve the hermeticity/reproducibility of your GitHub Actions workflows somewhat. I say "somewhat" because there are some lingering action usages that are nontrivial to hash-pin, namely those of
dtolnay/rust-toolchain. For the most part those can be replaced with direct use of the stable Rust toolchain that's provided by the action runner itself, but I wanted to leave those for your consideration.From here, I definitely recommend using Renovate or Dependabot to keep your actions updated and hash-pinned, ideally with a cooldown of at least a week to prevent opportunistic takeovers. I see you already have a Renovate config so I didn't mess with it since I'm not as familiar with Renovate as I am with Dependabot 😅
Finally, I'd definitely recommend taking a look at zizmor for some other CI/CD hardening steps that could be taken here -- I think action pinning is probably the most important/highest impact thing in your case, but if you're interested some other hardening changes I'd be happy to send PRs or help someone else in sending them!