Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pin github actions by hash and update via dependabot #8335

Merged
merged 2 commits into from
Feb 4, 2025
Merged

pin github actions by hash and update via dependabot #8335

merged 2 commits into from
Feb 4, 2025

Conversation

xopham
Copy link
Contributor

@xopham xopham commented Feb 4, 2025
edited
Loading

What Does This Do

  • Add dependabot for github actions
  • Pin actions by hash

Motivation

Pinning 3rd-party GitHub Actions by commit SHA makes them less vulnerable to compromise of the 3rd party. To avoid outdating and non-verbosity, versions are commented after the SHA and updating via dependabot is introduced that will automatically update the commented version tag as well.

In case of a false commit SHA, this change could break the corresponding workflow. Typically, this does not cause major interruptions, but it can for example affect a release pipeline and require restart causing delays.

Additional Notes

Contributor Checklist

Jira ticket: [PROJ-IDENT]

@xopham xopham added the tag: no release notes Changes to exclude from release notes label Feb 4, 2025
@xopham xopham changed the title ci: pin github actions by hash and update via dependabot pin github actions by hash and update via dependabot Feb 4, 2025
@xopham xopham marked this pull request as ready for review February 4, 2025 15:49
@xopham xopham requested a review from a team as a code owner February 4, 2025 15:49
@xopham xopham requested a review from amarziali February 4, 2025 15:49
@PerfectSlayer PerfectSlayer added the comp: tooling Build & Tooling label Feb 4, 2025
@xopham xopham merged commit 771c9d1 into master Feb 4, 2025
199 of 202 checks passed
@xopham xopham deleted the christoph.hamsen/pin-update-gh-actions branch February 4, 2025 16:23
@github-actions github-actions bot added this to the 1.47.0 milestone Feb 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PerfectSlayer PerfectSlayer PerfectSlayer approved these changes

@amarziali amarziali Awaiting requested review from amarziali amarziali is a code owner automatically assigned from DataDog/apm-java

Assignees
No one assigned
Labels
comp: tooling Build & Tooling tag: no release notes Changes to exclude from release notes
Projects
None yet
Milestone
1.47.0
Development

Successfully merging this pull request may close these issues.
2 participants
@xopham @PerfectSlayer