Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: pin "actions/" GitHub Actions to SHAs #87309

Merged
merged 2 commits into from
Mar 19, 2025
Merged

ci: pin "actions/" GitHub Actions to SHAs #87309

merged 2 commits into from
Mar 19, 2025

Conversation

kartben
Copy link
Collaborator

@kartben kartben commented Mar 18, 2025
edited
Loading

This commit follows up on e808ccf and completes the pinning of all
GitHub Actions to SHAs, including GitHub-owned actions/* actions.

Also update scorecard.yml versions in the process.

@kartben kartben force-pushed the ci_actions_shas_follow_up branch from 5a2272d to f3fd765 Compare March 18, 2025 16:58
@kartben kartben mentioned this pull request Mar 18, 2025
Merged
kartben added 2 commits March 18, 2025 17:59
@kartben
ci: pin "actions/" GitHub Actions to SHAs
af12540 
This commit follows up on e808ccfxy and completes the pinning of *all*
GitHub Actions to SHAs, including GitHub-owned `actions/*` actions.

Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
@kartben
ci: scorecard: bump actions to latest as per dependabot
f5e2486 
Apply dependabot suggested updates to the `scorecard` workflow to pull
latest versions of the actions.

Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
@kartben kartben force-pushed the ci_actions_shas_follow_up branch from f3fd765 to f5e2486 Compare March 18, 2025 16:59
@kartben kartben marked this pull request as ready for review March 18, 2025 17:00
@zephyrbot zephyrbot added platform: nRF BSIM Nordic Semiconductors, nRF BabbleSim area: Continuous Integration labels Mar 18, 2025
@fabiobaltieri
Copy link
Member

Ok but what is the whole story? Like you pinned the hashes, now what? Do you expect us to audit the changes commit by commit when upgrading them? If we are just bumping them up to check that they are in the repo then this is pointless waste of time.

@pdgendt
Copy link
Collaborator

pdgendt commented Mar 18, 2025

Ok but what is the whole story? Like you pinned the hashes, now what? Do you expect us to audit the changes commit by commit when upgrading them? If we are just bumping them up to check that they are in the repo then this is pointless waste of time.

We let dependabot check for updates, it will post a changelog alongside the changes. Still needs a minimal amount of effort though.
But only commits for tagged versions will be taken into account..

The issue with not using hashes is that tags are mutable, which happened for example with tj-actions/changed-files where all tags were set to a malicious version.

@fabiobaltieri
Copy link
Member

Still needs a minimal amount of effort though. But only commits for tagged versions will be taken into account..

The issue with not using hashes is that tags are mutable, which happened for example with tj-actions/changed-files where all tags were set to a malicious version.

So the idea is that before approving such a change one is expected to through every commit, check the actual diff and look for signs of obfuscated exploits?

@nashif
Copy link
Member

nashif commented Mar 18, 2025

So the idea is that before approving such a change one is expected to through every commit, check the actual diff and look for signs of obfuscated exploits?

each sha would corrospond to a tag, so instead of using tags which can be exploited by making them point to a different sha, we take the sha directly. When approving/reviewing, it is going to be the same I guess, i.e. if you have checked the diff between tags before, you can do that, but I have never looked at diff between two tags when updating actions.

All of this as it was said already would be managed and proposed by depandabot, so less manual work hopefully.

@pdgendt pdgendt mentioned this pull request Mar 19, 2025
Merged
@nashif nashif merged commit d5b2fcf into zephyrproject-rtos:main Mar 19, 2025
67 checks passed
@pdgendt pdgendt mentioned this pull request Mar 20, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nashif nashif nashif approved these changes

@pdgendt pdgendt pdgendt approved these changes

@aescolar aescolar Awaiting requested review from aescolar

@fabiobaltieri fabiobaltieri Awaiting requested review from fabiobaltieri

@stephanosio stephanosio Awaiting requested review from stephanosio

Assignees

@nashif nashif

@stephanosio stephanosio

Labels
area: Continuous Integration platform: nRF BSIM Nordic Semiconductors, nRF BabbleSim
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@kartben @fabiobaltieri @pdgendt @nashif @stephanosio @zephyrbot