[TASK] Update and SHA-pin all GitHub Actions#1184
[TASK] Update and SHA-pin all GitHub Actions#1184CybotTM wants to merge 3 commits intoTYPO3-Documentation:mainfrom
Conversation
CybotTM
changed the title
|
The best course of action seems to be to merge this and try it out and watch the first runs of the pipelines. I see less risk in hardening the versions but you made major upgrades to some versions so we would have to watch the pipelines closely. Best would be to merge this when no TYPO3 Core releases are planned that week so we dont have suddenly all the important manuals rendering. |
- actions/checkout: v4 -> v6 - ramsey/composer-install: v2 -> v3 - docker/setup-buildx-action: v2 -> v3 (merge job) - actions/upload-artifact: v4 -> v6 - actions/download-artifact: v4 -> v7 - actions/cache: v4 -> v5 - dependabot/fetch-metadata: v1/pinned SHA -> v2 - frankdejonge/use-github-token: 1.0.2 -> 1.1.0 - frankdejonge/use-subsplit-publish: 1.0.0 -> 1.1.0
Update actions/checkout from v4 to v6 in docker-test.yaml, which was missed in the initial actions update commit.
Pin all GitHub Actions to their exact commit SHAs for supply chain security. Version comments are included for maintainability.
CybotTM
force-pushed
the
feature/update-actions
branch
from
c8903b8 to
123d809
Compare
|
Despite switching to commit hashes not discussing it for now, this pull-requests misses to provide a detail analysis and risk-assesment about raising marketplace action one or in some cases two major versions. Actions following semver could introduce breaking things with new versions, dropping stuff and similar and possibile need adjustments. None of them is contained or mentioned in the pull-request nor the single commit messages. Taken into account that this pull-request not only changes the version of official github provided actions, but also 3rd party market place actions this is would have to read that up. Can you please provide a detailed risk-assesment about the raises and the analysis if there are changes or a statement about that it is okay with a reasoning for each of the updated action ? Note The list needs to be reviewable and easy verifiable, providing links Important DISCLAIMER Not part of the documentation team, above mentioned |
|
I am done with the PR, close it if it does not meet your ad-hoc requirements. I'm fine with rejecting this PR, would just be nice to have such requirements defined upfront not afterwards. |
|
I added the major version changes, I skipped minor and bugfix, as these are already auto-merged currently. |
|
Save CO² - update your node! ;-) |
|
To make review easie rand reduce scope, I would suggest to avoid mixing concerns and do the SHA pinning and Major version bumbs in separate PRs. That way we can review the structural change (pinning) independently from the version upgrades. |
3 participants
Summary
Updates all GitHub Actions across 7 workflow files to their latest versions and pins every action to its exact commit SHA for supply chain security.
Version updates
de0fac2e3cf229dc8d2750c6b7c566a737930b1ccdf6c1fa21025c7015e6289d00010151Major version changes
In general these updates update used node to 20/24.
Also includes two additional fixes which do not affect render-guides as far as I can tell.
The breaking changes are the raised requirement for gitlab runners - which would only affect the project if it uses self-maintained runners.
persist-credentialsto store the credentials under$RUNNER_TEMPinstead of directly in the local git config."Additional SHA-pinned actions (already at latest version)
44454db4c299e40cc94ce9fbc7c5346410e90e36Files changed
.github/workflows/main.yaml— checkout, setup-php, composer-install.github/workflows/docker.yaml— checkout, buildx, qemu, login, metadata, build-push, upload/download-artifact.github/workflows/docker-test.yaml— checkout.github/workflows/deploy-azure-assets.yaml— checkout.github/workflows/split-repositories.yaml— checkout, cache, use-github-token, use-subsplit-publish.github/workflows/pr-auto-merge.yaml— fetch-metadata.github/workflows/pr-auto-approve.yaml— fetch-metadataTest plan