Skip to content

chore(ci): pin 3rd party actions to sha commit #1335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Feb 27, 2023
Merged

chore(ci): pin 3rd party actions to sha commit #1335

merged 6 commits into from
Feb 27, 2023

Conversation

am29d
Copy link
Contributor

@am29d am29d commented Feb 26, 2023
edited by dreamorosi
Loading

Description of your changes

I have pinned the version of the following actions in our workflows:

  • actions/cache
  • flochaz/pkg-size-action
  • release-drafter/release-drafter

Closes #1025.

I have added the workflow from python repo to check for any unpinned using zgosalvez/github-actions-ensure-sha-pinned-actions workflow.

How to verify this change

Related issues, RFCs

Issue number: #1025

PR status

Is this ready for review?: YES
Is it a breaking change?: NO

Checklist

  • My changes meet the tenets criteria
  • I have performed a self-review of my own code
  • I have commented my code where necessary, particularly in areas that should be flagged with a TODO, or hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding changes to the examples
  • My changes generate no new warnings
  • The code coverage hasn't decreased
  • I have added tests that prove my change is effective and works
  • New and existing unit tests pass locally and in Github Actions
  • Any dependent changes have been merged and published
  • The PR title follows the conventional commit semantics

Breaking change checklist

  • I have documented the migration process
  • I have added, implemented necessary warnings (if it can live side by side)

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@pull-request-size pull-request-size bot added the size/M PR between 30-99 LOC label Feb 26, 2023
@github-actions github-actions bot added the internal PRs that introduce changes in governance, tech debt and chores (linting setup, baseline, etc.) label Feb 26, 2023
@am29d am29d added the automation This item relates to automation label Feb 26, 2023
@am29d am29d requested a review from dreamorosi February 26, 2023 13:17
dreamorosi
dreamorosi reviewed Feb 26, 2023
View reviewed changes
Copy link
Contributor

@dreamorosi dreamorosi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should pin also the aws-actions/configure-aws-credentials action (used here & elsewhere), while not strictly third-party (for us at least). Doing that would open the door to address most of the warnings described in #1127, which we need to fix anyway before end of Q2.

Finally, should we pin the ones from GitHub (aka the ones that start with actions/*) or is it not necessary?

@am29d
Copy link
Contributor Author

am29d commented Feb 27, 2023

Pinned aws-actions/configure-aws-credentials to latest commit of v1-node16, they we will get a v2 release soon.
Other actions/* I'd keep in the allow list similar to powertools python repo.

dreamorosi
dreamorosi approved these changes Feb 27, 2023
View reviewed changes
Copy link
Contributor

@dreamorosi dreamorosi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, let's go!!

@dreamorosi dreamorosi merged commit 919853e into aws-powertools:main Feb 27, 2023
@dreamorosi dreamorosi mentioned this pull request Feb 27, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dreamorosi dreamorosi dreamorosi approved these changes

Assignees

@am29d am29d

Labels
automation This item relates to automation internal PRs that introduce changes in governance, tech debt and chores (linting setup, baseline, etc.) size/M PR between 30-99 LOC
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Maintenance: harden workflows by pinning 3rd party actions to full length SHA number
2 participants
@am29d @dreamorosi