Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update github-actions #864

Merged
merged 1 commit into from
Oct 31, 2022

Conversation

renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Sep 17, 2022

Mend Renovate

This PR contains the following updates:

Package Type Update Change
actions/checkout action minor v3.0.2 -> v3.1.0
actions/download-artifact action patch v3.0.0 -> v3.0.1
actions/setup-go action patch v3.3.0 -> v3.3.1
actions/setup-node action minor v3.4.1 -> v3.5.1
actions/upload-artifact action patch v3.1.0 -> v3.1.1
actions/upload-artifact action digest 3cea537 -> 83fd05a
github/codeql-action action patch v2.1.22 -> v2.1.29
sigstore/cosign-installer action minor v2.6.0 -> v2.8.1

Release Notes

actions/checkout

v3.1.0

Compare Source

actions/download-artifact

v3.0.1

Compare Source

actions/setup-go

v3.3.1

Compare Source

In scope of this release we fixed the issue with the correct generation of the cache key when the go-version-file input is set (https://github.com/actions/setup-go/pull/267). Moreover, we fixed an issue when the cache folder was not found. Besides, we updated actions/core to 1.10.0 version (https://github.com/actions/setup-go/pull/273).

actions/setup-node

v3.5.1

Compare Source

In scope of this release we updated actions/core to 1.10.0. Moreover, we added logic to print Nodejs, Npm, Yarn versions after installation.

v3.5.0

Compare Source

In scope of this release we add support for engines.node. The action will be able to grab the version form package.json#engines.node. https://github.com/actions/setup-node/pull/485. Moreover, we added support for Volta

Besides, we updated @​actions/core to 1.9.1 and @​actions/cache to 3.0.4

actions/upload-artifact

v3.1.1

Compare Source

  • Update actions/core package to latest version to remove set-output deprecation warning #​351
github/codeql-action

v2.1.29

Compare Source

v2.1.28

Compare Source

v2.1.27

Compare Source

v2.1.26

Compare Source

v2.1.25

Compare Source

v2.1.24

Compare Source

v2.1.23

Compare Source

sigstore/cosign-installer

v2.8.1

Compare Source

What's Changed

Full Changelog: sigstore/cosign-installer@v2...v2.8.1

v2.8.0

Compare Source

What's Changed

Full Changelog: sigstore/cosign-installer@v2.7.0...v2.8.0

v2.7.0

Compare Source

What's Changed

Full Changelog: sigstore/cosign-installer@v2...v2.7.0


Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@laurentsimon
Copy link
Collaborator

interesting: many pre-submits are failing

@laurentsimon
Copy link
Collaborator

/cc @ianlewis we may have updated the ncc dependency.. I'm curious why it was not caught during an early pre-submit. Maybe another problem?

@ianlewis
Copy link
Member

ianlewis commented Sep 21, 2022

check-dist-matrix is covered in #883.

For others it seems that building the builder is failing on verify-checkout. I'm not sure why.

mismatch git sha 81e7de69c1ac2722c5e0f48de5158e1738290b76 != 895fca8cfd55bd11d27ee394ae2eeb486328f9da

Maybe because of some change that happened to verify-checkout that happened between commits e3220805577deb9d193f64e519abcb3b50851df5 and de4491844e9be4184f786666af40f5b1b8e7ddc0?

@laurentsimon
Copy link
Collaborator

I noticed this error too. Very strange

@renovate-bot renovate-bot force-pushed the renovate/github-actions branch 7 times, most recently from 55000ec to ed42b7f Compare September 27, 2022 03:35
@renovate-bot renovate-bot changed the title Update github-actions chore(deps): update github-actions Sep 27, 2022
@renovate-bot renovate-bot force-pushed the renovate/github-actions branch 5 times, most recently from 189cbe8 to 7d2b847 Compare October 4, 2022 11:12
@renovate-bot renovate-bot force-pushed the renovate/github-actions branch 2 times, most recently from e97b268 to 2e12a49 Compare October 6, 2022 23:46
@ianlewis
Copy link
Member

ianlewis commented Oct 7, 2022

So it seems like we had been referencing generate-builder at e322080
https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_generic_slsa3.yml#L111

Which uses checkout-go at f9878d1

uses: slsa-framework/slsa-github-generator/.github/actions/checkout-go@f9878d18f3c896502bdb5bbb96187fb787d529bb

which doesn't call verify-checkout
https://github.com/slsa-framework/slsa-github-generator/blob/f9878d18f3c896502bdb5bbb96187fb787d529bb/.github/actions/checkout-go/action.yml

But when I update the generate-builder to use my test release per the release instructions it now includes the verify-checkout check and fails.

I think verify-checkout is maybe assuming that GITHUB_SHA and the locally checked out workspace will always be the same repo? In normal cases the GITHUB_SHA will be a digest from the user's repo and the local checkout will likely be the slsa-github-generator repo. e.g. when building the builder/generator.

@renovate-bot renovate-bot force-pushed the renovate/github-actions branch 3 times, most recently from e1cee53 to 5dd68a9 Compare October 18, 2022 06:55
@laurentsimon
Copy link
Collaborator

fyi, im going to try to clean up the reference problem in #880

@renovate-bot renovate-bot force-pushed the renovate/github-actions branch 16 times, most recently from 592443c to 0d773f9 Compare October 23, 2022 23:39
@renovate-bot renovate-bot force-pushed the renovate/github-actions branch 3 times, most recently from 256cdd0 to 64e2995 Compare October 27, 2022 12:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants