Pin workflow actions sha's #1741
Conversation
|
I'd also like some documentation on the update process, e.g. how often these SHAs will be updated after this? I mean, [1] last one seems to have been 19 days ago: https://hub.docker.com/layers/amd64/ubuntu/20.04/images/sha256-cc9cc8169c9517ae035cf293b15f06922cb8c6c864d625a72b7b18667f264b70 |
automatically by dependabot using the interval set in this PR. |
|
I ran some tests on my personal project: tkatila#9 If one adds full version details in the comment (x.y.z) dependabot will also update the comment. I haven't tested the dockerfile update. I should test that before this is merged. |
Well. It doesn't work. Dependabot scanned a purposefully downgraded Dockerfile and deemed it ok. Looking closer at it, the documentation says that in order for dependabot to work:
That doesn't seem to be true for ubuntu or debian images: I'll see if there's some other way to update the sha's. |
|
One way to achieve updates for demo SHAs: I wrote a small script that uses frizbee to check for latest versions. That script is then used in a workload that updates the SHAs and creates a pull request: Comments? |
|
My 2 cents is that we could start with the actions pinning only and let the image sha support to evolve a bit (however, it looks the dependabot solution sets a lot of expectations for the image maintainers which may or may not happen anytime soon for the images we depend on). |
Sure. I'll modify this PR to only pin GH actions. We can re-evaluate Dockerfile pinning at a later date. |
tkatila
force-pushed
the
workflow-pin-to-sha
branch
from
271f650 to
204bfc0
Compare
And update sha's once a week. Signed-off-by: Tuomas Katila <[email protected]>
tkatila
force-pushed
the
workflow-pin-to-sha
branch
from
204bfc0 to
dfa9133
Compare
tkatila
changed the title
Fix issues generated by the scorecard.