Pin GitHub Actions to specific commit SHAs #19
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add input release: Whether to push release versions - Add input pre-release: Whether to push pre-release versions - Add input tag-release: After pushing a new gem version, git tag with the version string
Makes testing, debugging, editing and linting easier.
Devp/v1.1.0 See: fac/dev-platform#62
The previous naming was confusing and contentious. rubygems- made it look like it was for the actual rubygems site and registry. The intention was to show this is a ruby action dealing with gems. Changing the prefix to `ruby-gem-` to fix that. See: fac/dev-platform#62
v1.2.0 rename to ruby-gem-push-action See: fac/dev-platform#62
Review feedback. Let the normal logging through unhindered but log errors as GH errors. Avoids double logging in some cases.
Clean up gem push output handling See: fac/dev-platform#62
Version v1.3.0
Only do one type of release, so we only need one boolean instead of 2, which is a little confusing and allows for release anything and release nothing cases. One option simplifies all around. Pass the gem glob via the command call, like proper file arguments ;-)
Version v2 - Change: Don't pass the gem host around as an environment variable, extract from the gemspec. - Change: Don't pass gem keys around in environment variables anymore. Use the installed creds by key name. - Add: input key to set the key name in gem credentials to use. - Change: Release/pre-release inputs collapsed into single pre-release input. Push is either release or pre-release version, can't do both (or none!) in the same call anymore. - Add: Add linter for action code. - Change: tag-release input renamed to just tag. - Change: Use command line args instead of env variables for the internal command.
Update docs for new ruby-gem-setup-credentials-action
- Fix bug with pre-release getting ignored.
Version 2.1.0
Fix bug in pre-release:false
Explicitly check the push host URL before attempting to push a gem
Add actionlint workflow fac/dev-platform#314
Support ACTIONS_STEP_DEBUG for debug logging
So errors appear on the PR (so I don't waste time looking at passive-agressive ASCII opossums in the workflow run logs)
So actionlint-shellcheck can find it
Detect when `allowed_push_host` or `GEM_HOST` is not set
Switch to the new method of setting outputs
prepare for v2.5.0
Adding working-directory support
Bumping README to point to `v2`
# What Previously we added `actionlint` workflows to lots of repos: - fac/dev-platform#314 They trigger on every push to a PR branch, so most of the time this is unnecessary, as workflows are rarely updated. Really we only need to trigger `actionlint` when workflows are changed. We're now looking to use org-wide reusable workflows that can be updated in one central place. # Note! The org-wide shared workflow is for private repos only. We're using `fac/hermod` as the public mirror for the private workflow since only a few repos are public and require this workflow. In future we might look to create a `shared-workflows-public` repo if necessary. Dev-P ticket - fac/dev-platform#1002
Use org-wide reusable workflow for actionlint
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR pins all GitHub Actions to specific commit SHAs for improved security and stability.
Why pin Actions to SHAs?
Using commit SHAs instead of tags or branch names provides several security and stability benefits:
Implementation
fac/[ops-]shared-workflowson themainbranch are intentionally excluded from pinning.Part of https://github.com/fac/dev-platform/issues/2605