Conversation
![datadog-datadog-prod-us1[bot]](https://avatars.githubusercontent.com/u/365230?s=60&v=4){kind=small}
build/Dockerfile
Outdated
|
|
||
| # Install dependencies | ||
| RUN apt-get update && apt-get install -y gcc binutils | ||
| RUN apt-get update && apt-get install -y musl-tools binutils |
There was a problem hiding this comment.
⚪ Code Quality Violation
package musl-tools should have version pinned (...read more)
When using apt-get install, pin the version to avoid unwanted upgrades and undefined behavior.
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Download test artifacts | ||
| uses: actions/download-artifact@v4 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| core.setOutput("check_run_id", checkRun.data.id); | ||
|
|
||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| path: ${{ github.workspace }}/build_artifacts | ||
|
|
||
| - name: Install rust nightly | ||
| uses: actions-rust-lang/setup-rust-toolchain@v1 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| core.setOutput("check_run_id", checkRun.data.id); | ||
|
|
||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| steps: | ||
| - name: Create Check | ||
| id: create_check | ||
| uses: actions/github-script@v7 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
||
| - name: Update Check | ||
| if: always() | ||
| uses: actions/github-script@v7 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Download test artifacts | ||
| uses: actions/download-artifact@v4 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| - name: Cache dependencies | ||
| uses: Swatinem/rust-cache@v2 | ||
| - name: Install rust nightly | ||
| uses: actions-rust-lang/setup-rust-toolchain@v1 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
tonyredondo
force-pushed
the
tony/build-with-musl
branch
from
da19e02 to
042307b
Compare
build/Dockerfile
Outdated
| RUN apt-get update && apt-get install -y \ | ||
| wget \ | ||
| gcc \ | ||
| libc6-dev \ | ||
| tar \ | ||
| && rm -rf /var/lib/apt/lists/* |
There was a problem hiding this comment.
⚪ Code Quality Violation
package tar should have version pinned (...read more)
When using apt-get install, pin the version to avoid unwanted upgrades and undefined behavior.
build/Dockerfile
Outdated
| RUN apt-get update && apt-get install -y \ | ||
| wget \ | ||
| gcc \ | ||
| libc6-dev \ | ||
| tar |
There was a problem hiding this comment.
⚪ Code Quality Violation
package wget should have version pinned (...read more)
When using apt-get install, pin the version to avoid unwanted upgrades and undefined behavior.
| RUN apt-get update \ | ||
| && apt-get -y upgrade \ | ||
| && DEBIAN_FRONTEND=noninteractive apt-get install -y --fix-missing \ | ||
| cmake \ | ||
| git \ | ||
| wget \ | ||
| curl \ | ||
| cmake \ | ||
| make \ | ||
| gcc \ | ||
| build-essential \ | ||
| uuid-dev \ | ||
| autoconf \ | ||
| gdb \ | ||
| tar \ | ||
| \ | ||
| && rm -rf /var/lib/apt/lists/* |
There was a problem hiding this comment.
⚪ Code Quality Violation
package git should have version pinned (...read more)
When using apt-get install, pin the version to avoid unwanted upgrades and undefined behavior.
1 participant
What does this PR do?
Motivation
Additional Notes
Possible Drawbacks / Trade-offs
Describe how to test/QA your changes