Skip to content

ci: pin github actions by hash and update via dependabot#180

Merged
dmehala merged 2 commits intoDataDog:mainfrom
xopham:christoph.hamsen/pin-update-gh-actions
Feb 3, 2025
Merged

ci: pin github actions by hash and update via dependabot#180
dmehala merged 2 commits intoDataDog:mainfrom
xopham:christoph.hamsen/pin-update-gh-actions

Conversation

@xopham
Copy link
Contributor

@xopham xopham commented Feb 3, 2025
edited
Loading

Description

  • Add dependabot for github actions
  • Pin all actions by hash

Motivation

Pinning 3rd-party GitHub Actions by commit SHA makes them less vulnerable to compromise of the 3rd party. To avoid outdating and non-verbosity, versions are commented after the SHA and updating via dependabot is introduced that will automatically update the commented version tag as well.

In case of a false commit SHA, this change could break the corresponding workflow. Typically, this does not cause major interruptions, but it can for example affect a release pipeline and require restart causing delays.

Additional Notes

Jira ticket: [PROJ-IDENT]

@xopham xopham marked this pull request as ready for review February 3, 2025 19:55
@xopham xopham requested a review from a team as a code owner February 3, 2025 19:55
@xopham xopham requested review from zacharycmontoya and removed request for a team February 3, 2025 19:55
dmehala
dmehala approved these changes Feb 3, 2025
View reviewed changes
Copy link
Collaborator

@dmehala dmehala left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dmehala
Copy link
Collaborator

dmehala commented Feb 3, 2025
edited
Loading

@xopham cool, cool. Do you have a tool to check if someone accidentally switched to an unpinned version?

@codecov-commenter
Copy link

codecov-commenter commented Feb 3, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 93.80%. Comparing base (f590dce) to head (ce5d757).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #180   +/-   ##
=======================================
  Coverage   93.80%   93.80%           
=======================================
  Files          73       73           
  Lines        4195     4195           
=======================================
  Hits         3935     3935           
  Misses        260      260

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@dmehala dmehala merged commit 6dbd84b into DataDog:main Feb 3, 2025
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dmehala dmehala dmehala approved these changes

@zacharycmontoya zacharycmontoya Awaiting requested review from zacharycmontoya zacharycmontoya is a code owner automatically assigned from DataDog/dd-trace-cpp

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@xopham @dmehala @codecov-commenter