CI: Pin GitHub Actions to commit SHAs#155089
Conversation
Pin all third-party actions to immutable commit SHAs, with the resolved version tag in a trailing comment. This prevents upstream tags from silently changing under us. - actions/checkout → v6.0.2 - actions/upload-artifact → v7.0.0 - actions/download-artifact → v4.3.0 `actions/checkout` is bumped from v5 to v6 at the same time. v6 stores the git credentials outside the working tree, so it can no longer be picked up by subsequent `actions/upload-artifact` steps. See https://docs.zizmor.sh/audits/#unpinned-uses and https://docs.zizmor.sh/audits/#artipacked
rustbot
added
A-CI
|
r? @jdno rustbot has assigned @jdno. Use Why was this reviewer chosen?The reviewer was selected based on:
|
|
I'm surprised official github actions don't use immutable releases yet. |
|
yeah, same, but unfortunately that seems to be the case. once they switch to immutable releases we can consider going back, although we would then still need to use the full version tags (v1.2.3 instead of v1) to take advantage. |
|
r? @marcoieni |
|
I think it's better to setup renovate and let it do this job. Otherwise we need to update these actions manually after we merge this. Or worse, these actions don't get updated. |
|
At the moment renovate isn't enabled in this repo. So we should
Wdyt? |
sounds good to me, but at least the first step requires permissions that I don't have :D |
|
you can raise a PR in the team repo 👍 |
|
☔ The latest upstream changes (presumably #157586) made this pull request unmergeable. Please resolve the merge conflicts. |
Pins GitHub Actions to their commit SHA digests and keeps them updated. This lets Renovate handle the pinning that was proposed in rust-lang#155089 instead of maintaining it manually.
Configure Renovate for GitHub Actions This sets up Renovate to keep our GitHub Actions pinned to commit SHAs and up to date, as a follow-up to rust-lang#155089 where we pinned them by hand. The actual pinning is handled by the `helpers:pinGitHubActionDigests` preset. For now every update has to be approved from the Dependency Dashboard before Renovate opens a PR. I expect this to be temporary while we get the config right, since it lets us preview what Renovate wants to do without flooding the PR list. Once the pinning and the update PRs look correct, we can drop the approval requirement for the github-actions manager and let those flow through automatically. Renovate also skips the subtree paths, since those tools are maintained in their own repositories and synced back in, and rust-lang#134127 showed what happens when it starts editing them directly. The lockfile maintenance job is gone as well, since it was broken anyway. r? @marcoieni
This enables Renovate to pin GitHub Actions to SHAs and keep them up-to-date. See rust-lang/rust#155089 (comment)
Pins GitHub Actions to their commit SHA digests and keeps them updated. This lets Renovate handle the pinning that was proposed in rust-lang#155089 instead of maintaining it manually.
|
closing in favor of #158007 |
rustbot
removed
the
S-waiting-on-review
5 participants
Pin all third-party actions to immutable commit SHAs, with the resolved version tag in a trailing comment. This prevents upstream tags from silently changing under us.
actions/checkoutis bumped from v5 to v6 at the same time. v6 stores the git credentials outside the working tree, so it can no longer be picked up by subsequentactions/upload-artifactsteps (see "artipacked" link below).See https://docs.zizmor.sh/audits/#unpinned-uses and https://docs.zizmor.sh/audits/#artipacked