Add script and run update for pinning action versions#1484
Open
jsturtevant wants to merge 3 commits into
Open
Conversation
jsturtevant
requested review from
andreiltd,
danbugs,
dblnz,
devigned,
jprendes,
ludfjig,
simongdavies,
squillace and
syntactically
as code owners
Signed-off-by: James Sturtevant <jsturtevant@gmail.com>
jsturtevant
added
the
kind/dependencies
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s GitHub Actions usage by pinning third-party actions to specific commit SHAs (per GitHub’s supply-chain guidance), and adds a helper script to discover/update pins. It also replaces dtolnay/rust-toolchain with the maintained actions-rust-lang/setup-rust-toolchain.
Changes:
- Pin
uses:references across workflows from version tags (e.g.,@v6) to full commit SHAs, keeping the original version as an inline comment. - Replace
dtolnay/rust-toolchainusage withactions-rust-lang/setup-rust-toolchain. - Add
hack/update-actions.shto scan workflows, resolve latest releases, and optionally update pins in-place.
Reviewed changes
Copilot reviewed 25 out of 25 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| hack/update-actions.sh | New helper script to scan workflows and compute/apply pinned action SHAs. |
| .github/workflows/ValidatePullRequest.yml | Pins actions used for docs-only detection, checkout, and typos. |
| .github/workflows/RustNightly.yml | Pins checkout/cache/rust-cache/ci-setup workflow action references. |
| .github/workflows/ReleaseBlockerLabelCleanUp.yml | Pins checkout action reference. |
| .github/workflows/ReleaseBlockerCheck.yml | Pins checkout action reference. |
| .github/workflows/PRLabelChecker.yml | Pins checkout action reference. |
| .github/workflows/PrimeCaches.yml | Pins checkout/ci-setup/rust-cache action references. |
| .github/workflows/IssueLabelChecker.yml | Pins checkout action reference. |
| .github/workflows/Fuzzing.yml | Pins checkout action reference. |
| .github/workflows/dep_update_guest_locks.yml | Pins create-app-token/checkout/ci-setup action references. |
| .github/workflows/dep_run_examples.yml | Pins checkout/ci-setup/rust-cache/download-artifact action references. |
| .github/workflows/dep_fuzzing.yml | Pins checkout/ci-setup/download-artifact/upload-artifact action references. |
| .github/workflows/dep_code_checks.yml | Pins checkout/ci-setup/cache/rust-cache action references. |
| .github/workflows/dep_build_test.yml | Pins checkout/ci-setup/rust-cache/download-artifact action references. |
| .github/workflows/dep_build_guests.yml | Pins checkout/ci-setup/cache/rust-cache/upload-artifact action references. |
| .github/workflows/dep_benchmarks.yml | Pins checkout/ci-setup/rust-cache/download-artifact/upload-artifact action references. |
| .github/workflows/DailyBenchmarks.yml | Pins checkout action reference. |
| .github/workflows/CreateReleaseBranch.yml | Pins checkout action reference. |
| .github/workflows/CreateRelease.yml | Pins checkout/ci-setup/download-artifact action references. |
| .github/workflows/CreateDevcontainerImage.yml | Pins checkout/docker/login/metadata/build-push action references. |
| .github/workflows/Coverage.yml | Pins checkout/ci-setup/rust-cache/upload-artifact action references. |
| .github/workflows/copilot-setup-steps.yml | Pins checkout/ci-setup and replaces toolchain setup action. |
| .github/workflows/CargoPublish.yml | Pins checkout/ci-setup/crates-io-auth action references. |
| .github/workflows/CargoAudit.yml | Pins checkout/toolchain/audit-check action references. |
| .github/workflows/auto-merge-dependabot.yml | Pins create-app-token and checkout action references. |
Signed-off-by: James Sturtevant <jsturtevant@gmail.com>
Signed-off-by: James Sturtevant <jsturtevant@gmail.com>
Contributor
|
What's wrong with https://github.com/dtolnay/rust-toolchain? |
Contributor
Author
It doesn't have releases so hard to pin and keep updated, it hasn't been updated with latest tool chains. https://github.com/actions-rust-lang/setup-rust-toolchain is being actively maintained and does the same thing. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pins all of our github actions to hashes https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions. Dependabot will still work and use hashes when pushing updates.
It removes https://github.com/dtolnay/rust-toolchain for actions-rust-lang/setup-rust-toolchain which is maintained.