Skip to content

CI: update all gha actions #78

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 29, 2024
Merged

CI: update all gha actions #78

merged 3 commits into from
Nov 29, 2024

Conversation

andyfaff
Copy link
Collaborator

No description provided.

@andyfaff
Copy link
Collaborator Author

Updates made with gha-update package

@andyfaff andyfaff merged commit d47baf0 into reflectivity:master Nov 29, 2024
8 checks passed
@andyfaff andyfaff deleted the gha branch November 29, 2024 01:46
bmaranville
bmaranville reviewed Nov 29, 2024
View reviewed changes
.github/workflows/validate_refl1d.yml

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why use a hash instead of a version tag?

@andyfaff
Copy link
Collaborator Author

The gha-update package does hashes by default. Using a script is nice because it does all actions automagically.
Also hashes are more secure. If the action author makes a point release then if you're using something like v4 then you automatically start using that. If there's a security problem with that point release you're exposing the repo to that. If the repo permissions aren't locked down then that can create issues. By contrast hashes are fixed to a single version.
Using an updater script every so often seems like a good balance.

@bmaranville
Copy link
Contributor

bmaranville commented Nov 29, 2024
edited
Loading

Good points... I try to stick mostly to actions provided directly by GitHub (where one might worry less about hijacked version tags) but it's also nice to offload some maintenance to gha-update

@bmaranville
Copy link
Contributor

...though it seems like we're now trusting the gha-update package to not be malicious, instead

@andyfaff
Copy link
Collaborator Author

Sort of. You can check easily that youre not using a different action (unless there's a typosquat change). A single hash version is less likely to have a problem.

@andyfaff
Copy link
Collaborator Author

https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bmaranville bmaranville bmaranville left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@andyfaff @bmaranville