ci: Bump and pin GitHub Actions layers#219
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
I'd like to see a line either here or in a comment in the code about why we pin commits instead of versions. |
I wrote up a proper description with my thinking above. Ideally I would like to add renovate to this repository and configure it to auto-merge PRs for actions from whitelisted repositories ( It's probably worth updating RFD 434: Using Renovate for dependency management or writing a new RFD with best practices for using Renovate. |
|
Great, thanks. So we should probably do this in every repo, and most importantly in repos where CI uses secrets. |
Pin GitHub actions to full sha1 hashes rather than refs (
v3, etc) because the latter are unstable and can change.For example, these three all currently point to actions/checkout@9c091bb
The first one will change (updated tag forced pushed to replace old tag)
The second one could change
The third one will never change
For any 3rd party action we should absolutely pin because one tag force push with compromised credentials and we'd be running arbitrary code.
If an actions repos adopted Immutable Releases we could safely use the
@v7.0.0style pin, but none of the first partyactions/*repos have done so as it would mean that they could no longer publish tags likev7. See:The format of putting the tag in a trailing comment matches that of renovate. This repo is not currently configured for renovate, although I think that would be reasonable to do in the future.