Skip to content

Conversation

@Miqueasher
Copy link
Contributor

This pr updates all 3p actions from using version ID tags to being pinned with their commit SHA.

Git revert is safe unless SHA pinning is enforced for this repository in the settings. In that case all pinned commit SHA must be corresponding to the version tag that was specified before this pr. Alternatively functionality and/or arguments of commands must be updated to satisfy changes between the versions.

References:
https://github.com/actions/checkout
https://github.com/actions/setup-python
https://github.com/actions/setup-java
https://github.com/actions/setup-node
https://github.com/actions/cache
https://github.com/actions/upload-artifact
https://github.com/aws-actions/configure-aws-credentials
https://github.com/actions/download-artifact
https://github.com/aws-actions/aws-secretsmanager-get-secrets
https://github.com/gradle/actions/blob/f8140229023a7015c7ce4df6f7c390a3cace8f83/docs/deprecation-upgrade-guide.md#using-the-action-to-execute-gradle-via-the-arguments-parameter-is-deprecated
https://github.com/hashicorp/setup-terraform
https://github.com/ruby/setup-ruby
https://github.com/aws-actions/amazon-ecr-login
https://github.com/actions/setup-dotnet

NOTE: TESTS RUNNING ON A SINGLE EKS CLUSTER CANNOT BE RUN IN PARALLEL. See the needs keyword to run tests in succession.

  • Run Java EKS on e2e-playground in us-east-1 and eu-central-2
  • Run Python EKS on e2e-playground in us-east-1 and eu-central-2
  • Run metric limiter on EKS cluster e2e-playground in us-east-1 and eu-central-2
  • Run EC2 tests in all regions
  • Run K8s on a separate K8s cluster (check IAD test account for master node endpoints; these will change as we create and destroy clusters for OS patching)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Copy link
Contributor

@thpierce thpierce left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary of changes:

@Miqueasher - my biggest concern is all the actions/setup-<language>vX -> vY - I'm worried later versions may not support he same language versions. E.g. does setup-dotnetv5 support the same language versions as setup-dotnet@v2, etc. Same with setup-gradlev3 -> v4 (though in that case, the only usage is in pr-build, which we know will or will not work based on the checks run against this PR).

@Miqueasher
Copy link
Contributor Author

actions/setup-dotnet@v2 -> actions/setup-dotnet@d4c9434 (v5.0.0) -> main_build (.NET) passed : https://github.com/aws-observability/aws-otel-dotnet-instrumentation/actions/runs/17841045919

actions/setup-dotnet@v1 -> actions/setup-dotnet@d4c9434 (v5.0.0) -> main_build (.NET) passed : https://github.com/aws-observability/aws-otel-dotnet-instrumentation/actions/runs/17833522016

actions/setup-java@v4 -> actions/setup-java@dded088 (v5.0.0) -> daily-scan.yml (python) passed : https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/17863835348/workflow

actions/setup-node@v4 -> actions/setup-node@a0853c2 (v5.0.0) -> post-release-version-bump (js) passed : https://github.com/aws-observability/aws-otel-js-instrumentation/actions/runs/17841223064

actions/setup-python@v5 -> actions/setup-python@e797f83 (v6.0.0) -> set_up/action (python) passed : https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/17803145358

actions/upload-artifact@v4 -> actions/upload-artifact@ea165f8 (v4.6.2) -> release-lambda (.NET) passed : https://github.com/aws-observability/aws-otel-dotnet-instrumentation/actions/runs/17841045919

hashicorp/setup-terraform@v2 -> hashicorp/setup-terraform@b9cd54a (v3.1.2) -> release-lambda (.NET) passed : https://github.com/aws-observability/aws-otel-dotnet-instrumentation/actions/runs/17841045919

aws-actions/configure-aws-credentials@v4 -> aws-actions/configure-aws-credentials@a03048d (v5.0.0) -> artifacts_build/action.yml (python) passed : https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/17803145358

actions/checkout@v2 -> actions/checkout@08c6903 (v5.0.0) : https://github.com/aws-observability/aws-otel-dotnet-instrumentation/actions/runs/17841045919

aws-actions/aws-secretsmanager-get-secrets@v1 -> aws-actions/aws-secretsmanager-get-secrets@a9a7eb4 (v2.0.10) -> daily_scan (js) passed : https://github.com/aws-observability/aws-otel-js-instrumentation/actions/runs/17864770386

aws-actions/aws-secretsmanager-get-secrets@v2 -> aws-actions/aws-secretsmanager-get-secrets@a9a7eb4 (v2.0.10) : https://github.com/aws-observability/aws-otel-js-instrumentation/actions/runs/17864770386

aws-actions/configure-aws-credentials@v4 -> aws-actions/configure-aws-credentials@a03048d (v5.0.0) -> artifacts_build/action (js) passed : https://github.com/aws-observability/aws-otel-js-instrumentation/actions/runs/17841223064

These are almost all the ones you were concerned about, I wasn't able to find .NET@v4, or checkout @V3. I did find examples of earlier versions though which should give confidence that those aren't of concern right now.

@Miqueasher Miqueasher merged commit c49ee1c into aws-observability:main Sep 23, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants