🚨 Update github actions (release-v0.7) (major) #1684
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -48,7 +48,7 @@ jobs: | |
| disable-telemetry: true | ||
|
|
||
| - name: Checkout code | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
|
|
@@ -81,7 +81,7 @@ jobs: | |
| disable-telemetry: true | ||
|
|
||
| - name: Checkout | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
|
|
@@ -114,7 +114,7 @@ jobs: | |
| Also save the release notes in a file named "release-notes.md". | ||
|
|
||
| - name: Upload artifact | ||
| uses: actions/upload-artifact@v7 | ||
|
There was a problem hiding this comment. [medium] pinning-inconsistency actions/upload-artifact@v7 uses a mutable tag reference instead of a SHA-pinned commit hash. The same PR already pins this action to a SHA in scorecards.yml (actions/upload-artifact@043fb46 # v7.0.1), making the inconsistency clear. Suggested fix: Pin to actions/upload-artifact@043fb46 # v7.0.1 There was a problem hiding this comment. [low] supply-chain integrity upload-artifact is referenced by mutable tag (@v7) instead of a pinned commit SHA, inconsistent with the SHA-pinning convention used for other actions in this repository. Pre-existing condition carried forward from @v6. Suggested fix: Pin to actions/upload-artifact@043fb46 # v7.0.1 (matching scorecards.yml). |
||
| with: | ||
| name: release-notes | ||
| path: release-notes.md | ||
|
|
@@ -137,7 +137,7 @@ jobs: | |
| disable-telemetry: true | ||
|
|
||
| - name: Checkout | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
|
|
@@ -152,12 +152,12 @@ jobs: | |
| git push -f --tags | ||
|
|
||
| - name: Download artifact | ||
| uses: actions/download-artifact@v8 | ||
|
There was a problem hiding this comment. [medium] pinning-inconsistency actions/download-artifact@v8 uses a mutable tag reference instead of a SHA-pinned commit hash. All other action references in this repository use SHA pinning. This workflow has contents:write permissions, making the supply-chain risk more impactful. Suggested fix: Pin to the specific commit SHA for actions/download-artifact v8, e.g. actions/download-artifact@ # v8.0.1 There was a problem hiding this comment. [low] supply-chain integrity download-artifact is referenced by mutable tag (@v8) instead of a pinned commit SHA, inconsistent with the SHA-pinning convention used for other actions in this repository. Pre-existing condition carried forward from @v7. Suggested fix: Pin to actions/download-artifact@ # v8.0.x. |
||
| with: | ||
| name: release-notes | ||
|
|
||
| - name: Create a release | ||
| uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1 | ||
| with: | ||
|
There was a problem hiding this comment. [low] major-version-jump softprops/action-gh-release is bumped from v2.5.0 to v3.0.0. The step uses body, name, tag_name, make_latest, and generate_release_notes inputs. Verify v3 still supports these parameters with the same semantics. |
||
| name: ${{ needs.get_info.outputs.next_version }} | ||
|
There was a problem hiding this comment. [info] commit SHA verification softprops/action-gh-release updated to SHA 718ea10b132b3b2eba29c1007bb80653f286566b (commented as v3.0.1). Verify this SHA against the official repository. |
||
| tag_name: ${{ needs.get_info.outputs.next_version }} | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[info] commit SHA verification
actions/checkout updated to SHA 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 (commented as v7.0.0). Verify against the official repository. Same change applies across all five workflow files.