Pin+update Github Actions, add dependabot config for action updates

The current Github actions used in the test and build workflow are outdated and cause the following warnings: * The following actions uses Node.js version which is deprecated and will be forced to run on node20: actions/checkout@v3, actions/setup-python@v4, actions/upload-artifact@v3 * The following artifacts were uploaded using a version of actions/upload-artifact that is scheduled for deprecation: "ci-artifacts" see e.g. https://github.com/SeedSigner/seedsigner/actions/runs/9842707509 This PR therefore updates all actions and additionally pins them to their exact git sha1 (with human readable version as comment). This is done for security reasons as plain versions are git tags and thus are mutable = can influence the workflow outcome if manipulated. see also https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions An added dependabot config helps to keep those actions up-to-date and makes it much easier as no person has to deal with manually updating action sha1s. Merging this PR results in the creation of automatic update PRs by dependebot as can be seen here dbast#8
SeedSigner · Jul 8, 2024 · 58e2a32 · 58e2a32
1 parent dec01b2
commit 58e2a32
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 9 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,13 @@
+# See also:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      github-actions:
+        patterns:
+          - '*'
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -31,7 +31,7 @@ jobs:
         target: [ "pi0", "pi2", "pi02w", "pi4" ]
     steps:
       - name: checkout seedsigner-os
-        uses: actions/checkout@v3
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           repository: "seedsigner/seedsigner-os"
           # use the os-ref input parameter in case of workflow_dispatch or default to main in case of cron triggers
@@ -42,7 +42,7 @@ jobs:
           fetch-depth: 0
 
       - name: checkout source
-        uses: actions/checkout@v3
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           # ref defaults to repo default-branch=dev (cron) or SHA of event (workflow_dispatch)
           path: "seedsigner-os/opt/rootfs-overlay/opt"
@@ -78,7 +78,7 @@ jobs:
           ls -la src
 
       - name: restore build cache
-        uses: actions/cache@v3
+        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
         # Caching reduces the build time to ~50% (currently: ~30 mins instead of ~1 hour,
         # while consuming ~850 MB storage space).
         with:
@@ -113,7 +113,7 @@ jobs:
           ls -la seedsigner-os/images
 
       - name: upload images
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: seedsigner_os_images
           path: "seedsigner-os/images/*.img"
@@ -127,7 +127,7 @@ jobs:
     needs: build
     steps:
       - name: download images
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         with:
           name: seedsigner_os_images
           path: images
@@ -148,7 +148,7 @@ jobs:
           sha256sum *.img > seedsigner_os.${{ env.source_hash }}.sha256
 
       - name: upload checksums
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: seedsigner_os_images
           path: "images/*.sha256"

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -26,9 +26,9 @@ jobs:
         python-version: ["3.10", "3.12"]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
@@ -56,7 +56,7 @@ jobs:
           python -m pytest tests/screenshot_generator/generator.py
           cp -r ./seedsigner-screenshots ./artifacts/
       - name: Archive CI Artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: ci-artifacts
           path: artifacts/**