Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pin+update Github Actions, add dependabot config for action updates #568

Open
wants to merge 3 commits into
base: dev
Choose a base branch
from

Conversation

dbast
Copy link
Contributor

@dbast dbast commented Jul 8, 2024

The current Github actions used in the test and build workflow are outdated and cause the following warnings:

  • The following actions uses Node.js version which is deprecated and will be forced to run on node20: actions/checkout@v3, actions/setup-python@v4, actions/upload-artifact@v3
  • The following artifacts were uploaded using a version of actions/upload-artifact that is scheduled for deprecation: "ci-artifacts"

see e.g. https://github.com/SeedSigner/seedsigner/actions/runs/9842707509

This PR therefore updates all actions and additionally pins them to their exact git sha1 (with human readable version as comment). This is done for security reasons as plain versions are git tags and thus are mutable = can influence the workflow outcome if manipulated.

see also https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

An added dependabot config helps to keep those actions up-to-date and makes it much easier as no person has to deal with manually updating action sha1s. Merging this PR results in the creation of automatic update PRs by dependebot as can be seen here dbast#8

Description

Describe the change simply. Provide a reason for the change.

Include screenshots of any new or modified screens (or at least explain why they were omitted)

This pull request is categorized as a:

  • New feature
  • Bug fix
  • Code refactor
  • Documentation
  • Other

Checklist

  • I’ve run pytest and made sure all unit tests pass before sumbitting the PR

If you modified or added functionality/workflow, did you add new unit tests?

  • No, I’m a fool
  • Yes
  • N/A

I have tested this PR on the following platforms/os:

Note: Keep your changes limited in scope; if you uncover other issues or improvements along the way, ideally submit those as a separate PR. The more complicated the PR the harder to review, test, and merge.

dbast added 3 commits July 8, 2024 18:40
The current Github actions used in the test and build workflow are
outdated and cause the following warnings:
* The following actions uses Node.js version which is deprecated and will be forced to run on node20: actions/checkout@v3, actions/setup-python@v4, actions/upload-artifact@v3
* The following artifacts were uploaded using a version of actions/upload-artifact that is scheduled for deprecation: "ci-artifacts"

see e.g. https://github.com/SeedSigner/seedsigner/actions/runs/9842707509

This PR therefore updates all actions and additionally pins them to their
exact git sha1 (with human readable version as comment). This is done
for security reasons as plain versions are git tags and thus are mutable =
can influence the workflow outcome if manipulated.

see also https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

An added dependabot config helps to keep those actions up-to-date and makes
it much easier as no person has to deal with manually updating action
sha1s. Merging this PR results in the creation of automatic update PRs
by dependebot as can be seen here #8
with:
name: seedsigner_os_images
name: seedsigner_os_images_${{ matrix.target }}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

due to API change, each upload from the matrix (Python 3.10, 3.12) requires a different name

with:
name: seedsigner_os_images
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Required to download all differently named uploads from the same workflow run.

@@ -145,12 +144,12 @@ jobs:
- name: write sha256sum
run: |
cd images
sha256sum *.img > seedsigner_os.${{ env.source_hash }}.sha256
find . -name "*.img" -print0 | xargs -0 cat | sha256sum | tee seedsigner_os.${{ env.source_hash }}.sha256
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Required as all downloads end up in different subfolders

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant