Reference actions by commit SHA #408
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/actions/upload-artifact/releases/tag/v3.1.2 actions/upload-artifact@0b7f8ab Also, we're not updating oss-fuzz since the project architecture does not support releases. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/actions/checkout/releases/tag/v3.5.3 actions/checkout@c85c95e https://github.com/actions/setup-python/releases/tag/v4.7.0 actions/setup-python@61a6322 https://github.com/lukka/run-vcpkg/releases/tag/v7.5 lukka/run-vcpkg@55dacfc https://github.com/actions/upload-artifact/releases/tag/v3.1.2 actions/upload-artifact@0b7f8ab Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/actions/checkout/releases/tag/v3.5.3 actions/checkout@c85c95e https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.14.2 github/codeql-action@f9a7c67 Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
|
To install renovatebot, configure it in this link: https://github.com/apps/renovate |
|
Since we are not using anything produced by the build (except for the build log in case of errors), we don't think the added complexity is worth it. Also, we're only using actions from GitHub, Google, and the vcpkg team, which have easier and harder to detect ways to screw up our build. I understand why this makes sense in other contexts, where the automated builds play a more central role. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolves #377
This PR changes GitHub Actions being referenced by tags like
@v1to@{commit-SHA}.We're not updating
oss-fuzzsince the project architecture does not support referencing by commit SHA.Also, I noticed the action
lukka/run-vcpkgis being used in major 7, but already has a major 11, would you like me to try bumping that action?