ci: update and pin github actions #1219
Conversation
botovq
left a comment
botovq
left a comment
There was a problem hiding this comment.
This looks good - I double checked the hashes.
- I guess once this is merged, we should also tighten the settings in our repo settings?
- How do we know the jobs that aren't run as part of PR CI actually work: upload-artifact, gh-release, freebsd/solaris?
Great, thanks!
Yes, GitHub now has policy settings to require actions to be pinned to full-length commit hashes, as well as restrict used third-party actions to only those allowed through GitHub settings. I think it would be a good idea to enable both of these, especially given the recent supply-chain attacks targetting GitHub workflows. There's also "Immutable Releases" now, which would make all assets on releases for this repository immutable - which I think would also be good to enable. I need to check that the current release CI will work with it first, however.
For For |
Agreed. May I leave that to you (I'll try to merge in an hour or so). Re "immutable Releases" that sounds like what we want indeed. Your tests seems good enough then. Thanks! |
Yep! I'll look into getting these setup this week/weekend.
No worries! :D |
2 participants
Update GitHub Actions to latest versions, and pin all used actions (except oss-fuzz) to full-length commit hashes to make them immutable. This prevents unexpected changes, and malicious updates or compromise of used actions.
https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions
actions/checkoutv4 -> v6.0.1 (8e8c483)actions/upload-artifactv4 -> v6.0.0 (b7c566a)msys2/setup-msys2v2 -> v2.30.0 (4f806de)mymindstorm/setup-emsdkv14 -> v14 (6ab9eb1)softprops/action-gh-releasev2 -> v2.5.0 (a06a81a)vmactions/freebsd-vmv1 -> v1.3.0 (670398e)vmactions/solaris-vmv1 -> v1.1.8 (47bea10)