Skip to content

ci: pin github actions by hash and update via dependabot #180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dmehala merged 2 commits into from
Feb 3, 2025
Merged

ci: pin github actions by hash and update via dependabot #180

dmehala merged 2 commits into from
Feb 3, 2025

Conversation

@xopham
Copy link
Contributor

@xopham xopham commented Feb 3, 2025
edited
Loading

Description

  • Add dependabot for github actions
  • Pin all actions by hash

Motivation

Pinning 3rd-party GitHub Actions by commit SHA makes them less vulnerable to compromise of the 3rd party. To avoid outdating and non-verbosity, versions are commented after the SHA and updating via dependabot is introduced that will automatically update the commented version tag as well.

In case of a false commit SHA, this change could break the corresponding workflow. Typically, this does not cause major interruptions, but it can for example affect a release pipeline and require restart causing delays.

Additional Notes

Jira ticket: [PROJ-IDENT]

@xopham xopham marked this pull request as ready for review February 3, 2025 19:55
@xopham xopham requested a review from a team as a code owner February 3, 2025 19:55
@xopham xopham requested review from zacharycmontoya and removed request for a team February 3, 2025 19:55
dmehala
dmehala approved these changes Feb 3, 2025
View reviewed changes
Copy link
Collaborator

@dmehala dmehala left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dmehala
Copy link
Collaborator

dmehala commented Feb 3, 2025
edited
Loading

@xopham cool, cool. Do you have a tool to check if someone accidentally switched to an unpinned version?

@codecov-commenter
Copy link

codecov-commenter commented Feb 3, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 93.80%. Comparing base (f590dce) to head (ce5d757).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #180   +/-   ##
=======================================
  Coverage   93.80%   93.80%           
=======================================
  Files          73       73           
  Lines        4195     4195           
=======================================
  Hits         3935     3935           
  Misses        260      260

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@dmehala dmehala merged commit 6dbd84b into DataDog:main Feb 3, 2025
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dmehala dmehala dmehala approved these changes

@zacharycmontoya zacharycmontoya Awaiting requested review from zacharycmontoya zacharycmontoya is a code owner automatically assigned from DataDog/dd-trace-cpp

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@xopham @dmehala @codecov-commenter