-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pin+update Github Actions, add dependabot config for action updates #568
Conversation
The current Github actions used in the test and build workflow are outdated and cause the following warnings: * The following actions uses Node.js version which is deprecated and will be forced to run on node20: actions/checkout@v3, actions/setup-python@v4, actions/upload-artifact@v3 * The following artifacts were uploaded using a version of actions/upload-artifact that is scheduled for deprecation: "ci-artifacts" see e.g. https://github.com/SeedSigner/seedsigner/actions/runs/9842707509 This PR therefore updates all actions and additionally pins them to their exact git sha1 (with human readable version as comment). This is done for security reasons as plain versions are git tags and thus are mutable = can influence the workflow outcome if manipulated. see also https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions An added dependabot config helps to keep those actions up-to-date and makes it much easier as no person has to deal with manually updating action sha1s. Merging this PR results in the creation of automatic update PRs by dependebot as can be seen here #8
with: | ||
name: seedsigner_os_images | ||
name: seedsigner_os_images_${{ matrix.target }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
due to API change, each upload from the matrix (Python 3.10, 3.12) requires a different name
with: | ||
name: seedsigner_os_images |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Required to download all differently named uploads from the same workflow run.
@@ -145,12 +144,12 @@ jobs: | |||
- name: write sha256sum | |||
run: | | |||
cd images | |||
sha256sum *.img > seedsigner_os.${{ env.source_hash }}.sha256 | |||
find . -name "*.img" -print0 | xargs -0 cat | sha256sum | tee seedsigner_os.${{ env.source_hash }}.sha256 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Required as all downloads end up in different subfolders
The current Github actions used in the test and build workflow are outdated and cause the following warnings:
see e.g. https://github.com/SeedSigner/seedsigner/actions/runs/9842707509
This PR therefore updates all actions and additionally pins them to their exact git sha1 (with human readable version as comment). This is done for security reasons as plain versions are git tags and thus are mutable = can influence the workflow outcome if manipulated.
see also https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
An added dependabot config helps to keep those actions up-to-date and makes it much easier as no person has to deal with manually updating action sha1s. Merging this PR results in the creation of automatic update PRs by dependebot as can be seen here dbast#8
Description
Describe the change simply. Provide a reason for the change.
Include screenshots of any new or modified screens (or at least explain why they were omitted)
This pull request is categorized as a:
Checklist
pytest
and made sure all unit tests pass before sumbitting the PRIf you modified or added functionality/workflow, did you add new unit tests?
I have tested this PR on the following platforms/os:
Note: Keep your changes limited in scope; if you uncover other issues or improvements along the way, ideally submit those as a separate PR. The more complicated the PR the harder to review, test, and merge.