Update scorecard.yml to new checkout and analysis actions. #840
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Update scorecard workflow as per https://github.com/ossf/scorecard-action
aiuto
requested review from
cgrindel and
meteorcloudy
and removed request for
meteorcloudy
meteorcloudy
approved these changes
Mar 22, 2024
|
Whump, whump, whump. That still does not help. |
cgrindel
reviewed
Mar 22, 2024
| @@ -35,12 +35,12 @@ jobs: | |||
| uses: actions/setup-node@v4.0.2 | |||
|
|
|||
| - name: "Checkout code" | |||
| uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 | |||
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | |||
There was a problem hiding this comment.
We may want to update this to 4.x.x soon. GitHub is deprecating actions that use node 16.
|
Probably yes. What I want is for scorecard to fix their documentation and
examples so they are up to date.
A potential policy based solution is that all the bazelbuild repositories
share the same scorecard setup. That way we only have to fix it for
bazelbuild/bazel and everyone else feels safe just copying that workflow to
their repository. This reduces churn and improves accountability.
…On Fri, Mar 22, 2024 at 11:25 AM Chuck Grindel ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In .github/workflows/scorecard.yml
<#840 (comment)>:
> @@ -35,12 +35,12 @@ jobs:
uses: ***@***.***
- name: "Checkout code"
- uses: ***@***.*** # v3.1.0
+ uses: ***@***.*** # v3.5.2
We may want to update this to 4.x.x soon. GitHub is deprecating actions
that use node 16
<https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/>
.
—
Reply to this email directly, view it on GitHub
<#840 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAXHHHAJYZGYBJA7A6L3OWLYZREP7AVCNFSM6AAAAABFDLSDROVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTSNJVGEYDSNZSGA>
.
You are receiving this because you modified the open/close state.Message
ID: ***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Update scorecard workflow as per https://github.com/ossf/scorecard-action
My earlier suggested fix had no effect. This one seems more likely, based on the error message on the security tab
That suggests that actions/checkout is out of date.
<rant>I think it is inexcusable for a security scanner to not do numbered releases. You can not expect humans to audit and reason about github hashes.</rant>