-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secure updates for GitHub Actions (and more) #2835
Comments
We similarly use commit SHA for actions in google/go-github, and dependabot now seems to support that (using SHAs in updates): google/go-github#2049 One additional thing we do, however, is to leave a comment for what release that SHA corresponds to (similar to what github/docs is doing in their allowlist). For example: steps:
uses: styfle/cancel-workflow-action@89f242ee29e10c53a841bfe71cc0ce7b2f065abc #0.9.0 It would be really nice if dependabot supported that and would bump the version in the comment. For now, we're just doing it manually in the PR (like in the example above) |
Would love to see sha comment adjustments in Dependabot natively. For the meantime I wrote an action timmeinerzhagen/dependabot-sha-comment-action that does the trick for me |
This is a bit of a test of Dependabot's support for managing SHA-based versions of GitHub Actions. In the original press release about Dependabot's support for GHAs, they say: > Dependabot creates pull requests that update the action to the latest released tag (e.g., v2), regardless of if you’re currently on a release tag, a pre-release tag, or a specific hash. github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/ But I think SHA-based updates were added as a part of: dependabot/dependabot-core#2835 I see examples where Dependabot apparently works with SHAs: https://github.com/systemd/systemd/pull/22638/files https://github.com/google/go-github/pull/2049/files And those projects are using config like is proposed here: https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5 https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a bit of a test of Dependabot's support for managing SHA-based versions of GitHub Actions. In the original press release about Dependabot's support for GHAs, they say: > Dependabot creates pull requests that update the action to the latest released tag (e.g., v2), regardless of if you’re currently on a release tag, a pre-release tag, or a specific hash. github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/ But I think SHA-based updates were added as a part of: dependabot/dependabot-core#2835 I see examples where Dependabot apparently works with SHAs: https://github.com/systemd/systemd/pull/22638/files https://github.com/google/go-github/pull/2049/files And those projects are using config like is proposed here: https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5 https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15 As always, we should be careful about taking updates from third parties and review theses PRs to update GHAs carefully. Especially until submariner-io#1740 reduces the permissions of each job to the minimum required. Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a bit of a test of Dependabot's support for managing SHA-based versions of GitHub Actions. In the original press release about Dependabot's support for GHAs, they say: > Dependabot creates pull requests that update the action to the latest released tag (e.g., v2), regardless of if you’re currently on a release tag, a pre-release tag, or a specific hash. github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/ But I think SHA-based updates were added as a part of: dependabot/dependabot-core#2835 I see examples where Dependabot apparently works with SHAs: https://github.com/systemd/systemd/pull/22638/files https://github.com/google/go-github/pull/2049/files And those projects are using config like is proposed here: https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5 https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15 As always, we should be careful about taking updates from third parties and review theses PRs to update GHAs carefully. Especially until #1740 reduces the permissions of each job to the minimum required. Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a bit of a test of Dependabot's support for managing SHA-based versions of GitHub Actions. In the original press release about Dependabot's support for GHAs, they say: > Dependabot creates pull requests that update the action to the latest released tag (e.g., v2), regardless of if you’re currently on a release tag, a pre-release tag, or a specific hash. github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/ But I think SHA-based updates were added as a part of: dependabot/dependabot-core#2835 I see examples where Dependabot apparently works with SHAs: https://github.com/systemd/systemd/pull/22638/files https://github.com/google/go-github/pull/2049/files And those projects are using config like is proposed here: https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5 https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15 As always, we should be careful about taking updates from third parties and review theses PRs to update GHAs carefully. Especially until submariner-io#1740 reduces the permissions of each job to the minimum required. Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a bit of a test of Dependabot's support for managing SHA-based versions of GitHub Actions. In the original press release about Dependabot's support for GHAs, they say: > Dependabot creates pull requests that update the action to the latest released tag (e.g., v2), regardless of if you’re currently on a release tag, a pre-release tag, or a specific hash. github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/ But I think SHA-based updates were added as a part of: dependabot/dependabot-core#2835 I see examples where Dependabot apparently works with SHAs: https://github.com/systemd/systemd/pull/22638/files https://github.com/google/go-github/pull/2049/files And those projects are using config like is proposed here: https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5 https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15 As always, we should be careful about taking updates from third parties and review theses PRs to update GHAs carefully. Especially until submariner-io#1740 reduces the permissions of each job to the minimum required. Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a bit of a test of Dependabot's support for managing SHA-based versions of GitHub Actions. In the original press release about Dependabot's support for GHAs, they say: > Dependabot creates pull requests that update the action to the latest released tag (e.g., v2), regardless of if you’re currently on a release tag, a pre-release tag, or a specific hash. github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/ But I think SHA-based updates were added as a part of: dependabot/dependabot-core#2835 I see examples where Dependabot apparently works with SHAs: https://github.com/systemd/systemd/pull/22638/files https://github.com/google/go-github/pull/2049/files And those projects are using config like is proposed here: https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5 https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15 As always, we should be careful about taking updates from third parties and review theses PRs to update GHAs carefully. Especially until #1740 reduces the permissions of each job to the minimum required. Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
An alternative to this limitation of dependabot could be https://github.com/sethvargo/ratchet |
Any updates on plans or roadmap of dependabot to support updating based on SHA instead of semver? |
Evidently, it does, but as @willnorris mentioned, for the readability a human should update comment with an actual version. |
From what I can tell, dependabot recently started updating |
Oh, that would be fantastic if that's the case! Do you have an example? |
Yes, this was recently contributed by the community! 🎉 Closing this since it's now fixed! |
This is a bit of a test of Dependabot's support for managing SHA-based versions of GitHub Actions. In the original press release about Dependabot's support for GHAs, they say: > Dependabot creates pull requests that update the action to the latest released tag (e.g., v2), regardless of if you’re currently on a release tag, a pre-release tag, or a specific hash. github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/ But I think SHA-based updates were added as a part of: dependabot/dependabot-core#2835 I see examples where Dependabot apparently works with SHAs: https://github.com/systemd/systemd/pull/22638/files https://github.com/google/go-github/pull/2049/files And those projects are using config like is proposed here: https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5 https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15 As always, we should be careful about taking updates from third parties and review theses PRs to update GHAs carefully. Especially until #1740 reduces the permissions of each job to the minimum required. Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
We've decided to follow the GitHub's example and best practice: updating the Actions we're using in a less blind but still somehow automated manner. That's for security purposes.
Can Dependabot currently help with something from this list?
The text was updated successfully, but these errors were encountered: