Skip to content

[github actions] Pin actions to hash commits #6784

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 19, 2025
Merged

[github actions] Pin actions to hash commits #6784

merged 3 commits into from
Mar 19, 2025

Conversation

rlazo
Copy link
Collaborator

@rlazo rlazo commented Mar 19, 2025

Tags can be modified to point to different commits, which is a
security issue. By pinning to specific commits we ensure the code
executing isn't changing.

rlazo added 3 commits March 19, 2025 13:00
@rlazo
[github actions] Pin actions to hash commits
8fa902f 
Tags can be modified to point to different commits, which is a
security issue. By pinning to specific commits we ensure the code
executing isn't changing.
@rlazo
Merge branch 'main' into rl.github.action.pin
ee45e53
@rlazo
Additional updates
17555ed
@rlazo rlazo requested review from dconeybe and daymxn March 19, 2025 17:46
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 19, 2025
edited
Loading

📝 PRs merging into main branch

Our main branch should always be in a releasable state. If you are working on a larger change, or if you don't want this change to see the light of the day just yet, consider using a feature branch first, and only merge into the main branch when the code complete and ready to be released.

@rlazo
Copy link
Collaborator Author

rlazo commented Mar 19, 2025

@dconeybe please check the changes to the dataconnect actions

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 19, 2025
edited
Loading

Test Results

 1 062 files  + 45   1 062 suites  +45   34m 57s ⏱️ +51s
 5 861 tests ±  0   5 838 ✅ ±  0  22 💤 ±0  1 ❌ ±0 
12 091 runs  +459  12 046 ✅ +459  44 💤 ±0  1 ❌ ±0 

For more details on these failures, see this check.

Results for commit 17555ed. ± Comparison against base commit af1fe93.

♻️ This comment has been updated with latest results.

@google-oss-bot
Copy link
Contributor

Size Report 1

Affected Products

No changes between base commit (af1fe93) and merge commit (1597d7a).

Test Logs

  1. https://storage.googleapis.com/firebase-sdk-metric-reports/rgbMfpCatj.html

@dconeybe
Copy link
Contributor

@dconeybe please check the changes to the dataconnect actions

dataconnect changes LGTM. I'm not going to mark this PR as "approved" since my review is only on a small subset of the file; rather, I'll remove myself from the list of reviewers.

@dconeybe dconeybe removed their request for review March 19, 2025 18:11
@google-oss-bot
Copy link
Contributor

Coverage Report 1

Affected Products

  • firebase-appdistribution

    Overall coverage changed from ? (af1fe93) to 75.72% (1597d7a) by ?.

    68 individual files with coverage change

    FilenameBase (af1fe93)Merge (1597d7a)Diff
    AabUpdater.java?98.36%?
    AabUpdater_Factory.java?0.00%?
    ApkInstaller.java?100.00%?
    ApkInstaller_Factory.java?0.00%?
    ApkUpdater.java?92.63%?
    ApkUpdater_Factory.java?0.00%?
    AppDistributionReleaseImpl.java?100.00%?
    AppDistributionReleaseInternal.java?100.00%?
    AppDistroComponent.java?0.00%?
    AppDistroComponent_MainModule_BindContentResolverFactory.java?0.00%?
    AppIconSource.java?84.62%?
    AppIconSource_Factory.java?100.00%?
    AutoValue_AppDistributionReleaseImpl.java?65.45%?
    AutoValue_AppDistributionReleaseInternal.java?71.58%?
    AutoValue_ImageUtils_ImageSize.java?35.00%?
    AutoValue_TesterApiDisabledErrorDetails.java?29.41%?
    AutoValue_TesterApiDisabledErrorDetails_HelpLink.java?54.17%?
    AutoValue_UpdateProgressImpl.java?65.96%?
    DaggerAppDistroComponent.java?80.56%?
    DevModeDetector.java?9.09%?
    DevModeDetector_Factory.java?100.00%?
    ErrorMessages.java?0.00%?
    FeedbackActivity.java?3.39%?
    FeedbackActivity_MembersInjector.java?0.00%?
    FeedbackSender.java?84.48%?
    FeedbackSender_Factory.java?0.00%?
    FeedbackTrigger.java?61.54%?
    FirebaseAppDistributionExceptions.java?80.00%?
    FirebaseAppDistributionFileProvider.java?0.00%?
    FirebaseAppDistributionImpl.java?89.89%?
    FirebaseAppDistributionImpl_Factory.java?0.00%?
    FirebaseAppDistributionLifecycleNotifier.java?91.49%?
    FirebaseAppDistributionLifecycleNotifier_Factory.java?0.00%?
    FirebaseAppDistributionNotificationsManager.java?88.89%?
    FirebaseAppDistributionNotificationsManager_Factory.java?0.00%?
    FirebaseAppDistributionRegistrar.java?95.83%?
    FirebaseAppDistributionTesterApiClient.java?88.78%?
    FirebaseAppDistributionTesterApiClient_Factory.java?0.00%?
    HttpsUrlConnectionFactory.java?50.00%?
    HttpsUrlConnectionFactory_Factory.java?100.00%?
    ImageUtils.java?100.00%?
    InstallActivity.java?2.67%?
    LogWrapper.java?86.67%?
    NewReleaseFetcher.java?86.67%?
    NewReleaseFetcher_Factory.java?0.00%?
    PackageInfoUtils.java?42.86%?
    ReleaseIdentifier.java?91.78%?
    ReleaseIdentifier_Factory.java?0.00%?
    ReleaseUtils.java?83.33%?
    ScreenshotTaker.java?36.17%?
    ScreenshotTaker_Factory.java?0.00%?
    SequentialReference.java?100.00%?
    SignInResultActivity.java?0.00%?
    SignInStorage.java?100.00%?
    SignInStorage_Factory.java?0.00%?
    TakeScreenshotAndStartFeedbackActivity.java?0.00%?
    TakeScreenshotAndStartFeedbackActivity_MembersInjector.java?0.00%?
    TaskCache.java?100.00%?
    TaskCompletionSourceCache.java?72.41%?
    TaskUtils.java?77.50%?
    TesterApiDisabledErrorDetails.java?93.75%?
    TesterApiHttpClient.java?90.09%?
    TesterApiHttpClient_Factory.java?0.00%?
    TesterSignInManager.java?89.41%?
    TesterSignInManager_Factory.java?0.00%?
    UpdateProgressImpl.java?100.00%?
    UpdateTaskCache.java?91.30%?
    UpdateTaskImpl.java?76.32%?

  • firebase-firestore

    Overall coverage changed from 45.77% (af1fe93) to 45.77% (1597d7a) by +0.00%.

    FilenameBase (af1fe93)Merge (1597d7a)Diff
    DeleteMutation.java90.48%95.24%+4.76%

  • firebase-inappmessaging

    Overall coverage changed from ? (af1fe93) to 39.03% (1597d7a) by ?.

    148 individual files with coverage change

    FilenameBase (af1fe93)Merge (1597d7a)Diff
    AbtIntegrationHelper.java?60.87%?
    AbtIntegrationHelper_Factory.java?0.00%?
    Action.java?76.47%?
    Analytics.java?0.00%?
    AnalyticsConstants.java?0.00%?
    AnalyticsEventsManager.java?85.19%?
    AnalyticsEventsModule.java?0.00%?
    AnalyticsEventsModule_ProvidesAnalyticsConnectorEventsFactory.java?0.00%?
    AnalyticsEventsModule_ProvidesAnalyticsEventsManagerFactory.java?0.00%?
    AnalyticsListener.java?0.00%?
    ApiClient.java?100.00%?
    ApiClientModule.java?0.00%?
    ApiClientModule_ProvidesApiClientFactory.java?0.00%?
    ApiClientModule_ProvidesDataCollectionHelperFactory.java?0.00%?
    ApiClientModule_ProvidesFirebaseAppFactory.java?0.00%?
    ApiClientModule_ProvidesFirebaseInstallationsFactory.java?0.00%?
    ApiClientModule_ProvidesSharedPreferencesUtilsFactory.java?0.00%?
    ApiClientModule_ProvidesTestDeviceHelperFactory.java?0.00%?
    AppComponent.java?0.00%?
    AppForeground.java?0.00%?
    ApplicationModule.java?0.00%?
    ApplicationModule_DeveloperListenerManagerFactory.java?0.00%?
    ApplicationModule_ProvidesApplicationFactory.java?0.00%?
    AppMeasurementModule.java?0.00%?
    AppMeasurementModule_ProvidesAnalyticsConnectorFactory.java?0.00%?
    AppMeasurementModule_ProvidesSubsriberFactory.java?0.00%?
    AutoValue_InstallationIdResult.java?33.33%?
    AutoValue_RateLimit.java?44.68%?
    BannerMessage.java?75.00%?
    Button.java?61.76%?
    CampaignAnalytics.java?33.22%?
    CampaignAnalyticsOrBuilder.java?0.00%?
    CampaignCache.java?0.00%?
    CampaignCacheClient.java?88.00%?
    CampaignCacheClient_Factory.java?0.00%?
    CampaignImpression.java?38.96%?
    CampaignImpressionList.java?39.25%?
    CampaignImpressionListOrBuilder.java?0.00%?
    CampaignImpressionOrBuilder.java?0.00%?
    CampaignMetadata.java?100.00%?
    CampaignProto.java?27.23%?
    CardMessage.java?78.48%?
    ClientAppInfo.java?35.79%?
    ClientAppInfoOrBuilder.java?0.00%?
    Clock.java?0.00%?
    CommonTypesProto.java?9.87%?
    DaggerAppComponent.java?0.00%?
    DaggerUniversalComponent.java?0.00%?
    DataCollectionHelper.java?87.50%?
    DataCollectionHelper_Factory.java?0.00%?
    DeveloperListenerManager.java?100.00%?
    DismissType.java?82.61%?
    DisplayCallbacksFactory.java?100.00%?
    DisplayCallbacksFactory_Factory.java?0.00%?
    DisplayCallbacksImpl.java?93.46%?
    EventType.java?76.19%?
    ExecutorsModule.java?0.00%?
    ExecutorsModule_ProvidesBackgroundExecutorFactory.java?0.00%?
    ExecutorsModule_ProvidesBlockingExecutorFactory.java?0.00%?
    ExecutorsModule_ProvidesLightWeightExecutorFactory.java?0.00%?
    ExperimentPayloadProto.java?6.05%?
    FetchEligibleCampaignsRequest.java?32.98%?
    FetchEligibleCampaignsRequestOrBuilder.java?0.00%?
    FetchEligibleCampaignsResponse.java?42.86%?
    FetchEligibleCampaignsResponseOrBuilder.java?0.00%?
    FetchErrorReason.java?52.17%?
    FiamAnalyticsConnectorListener.java?100.00%?
    FiamFetchService.java?0.00%?
    FirebaseAppScope.java?0.00%?
    FirebaseInAppMessaging.java?80.60%?
    FirebaseInAppMessagingCampaignAnalyticsProto.java?0.00%?
    FirebaseInAppMessagingClickListener.java?0.00%?
    FirebaseInAppMessagingContextualTrigger.java?0.00%?
    FirebaseInAppMessagingDismissListener.java?0.00%?
    FirebaseInAppMessagingDisplay.java?0.00%?
    FirebaseInAppMessagingDisplayCallbacks.java?100.00%?
    FirebaseInAppMessagingDisplayErrorListener.java?0.00%?
    FirebaseInAppMessagingImpressionListener.java?0.00%?
    FirebaseInAppMessagingRegistrar.java?0.00%?
    FirebaseInAppMessaging_Factory.java?0.00%?
    ForegroundFlowableModule.java?0.00%?
    ForegroundFlowableModule_ProvidesAppForegroundEventStreamFactory.java?0.00%?
    ForegroundNotifier.java?76.00%?
    GrpcChannelModule.java?0.00%?
    GrpcChannelModule_ProvidesGrpcChannelFactory.java?0.00%?
    GrpcChannelModule_ProvidesServiceHostFactory.java?0.00%?
    GrpcClient.java?100.00%?
    GrpcClientModule.java?0.00%?
    GrpcClientModule_ProvidesApiKeyHeadersFactory.java?0.00%?
    GrpcClientModule_ProvidesInAppMessagingSdkServingStubFactory.java?0.00%?
    GrpcClient_Factory.java?0.00%?
    ImageData.java?71.43%?
    ImageOnlyMessage.java?75.86%?
    ImpressionStorageClient.java?100.00%?
    ImpressionStorageClient_Factory.java?0.00%?
    ImpressionStore.java?0.00%?
    InAppMessage.java?24.24%?
    InAppMessageStreamManager.java?91.40%?
    InAppMessageStreamManager_Factory.java?0.00%?
    InAppMessaging.kt?0.00%?
    InAppMessagingSdkServingGrpc.java?45.95%?
    InstallationIdResult.java?100.00%?
    Logging.java?0.00%?
    MessagesProto.java?36.03%?
    MessageType.java?100.00%?
    MetricsLoggerClient.java?94.29%?
    ModalMessage.java?74.07%?
    ProgramaticContextualTriggers.java?0.00%?
    ProgrammaticContextualTriggerFlowableModule.java?0.00%?
    ProgrammaticContextualTriggerFlowableModule_ProvidesProgramaticContextualTriggersFactory.java?0.00%?
    ProgrammaticContextualTriggerFlowableModule_ProvidesProgramaticContextualTriggerStreamFactory.java?0.00%?
    ProgrammaticTrigger.java?0.00%?
    ProtoMarshallerClient.java?91.40%?
    ProtoMarshallerClient_Factory.java?0.00%?
    ProtoStorageClient.java?100.00%?
    ProtoStorageClientModule.java?0.00%?
    ProtoStorageClientModule_ProvidesProtoStorageClientForCampaignFactory.java?0.00%?
    ProtoStorageClientModule_ProvidesProtoStorageClientForImpressionStoreFactory.java?0.00%?
    ProtoStorageClientModule_ProvidesProtoStorageClientForLimiterStoreFactory.java?0.00%?
    ProviderInstaller.java?37.50%?
    ProviderInstaller_Factory.java?0.00%?
    ProxyAnalyticsConnector.java?67.95%?
    RateLimit.java?0.00%?
    RateLimiterClient.java?100.00%?
    RateLimiterClient_Factory.java?0.00%?
    RateLimitModule.java?0.00%?
    RateLimitModule_ProvidesAppForegroundRateLimitFactory.java?0.00%?
    RateLimitProto.java?52.69%?
    RenderErrorReason.java?82.61%?
    SchedulerModule.java?0.00%?
    SchedulerModule_ProvidesComputeSchedulerFactory.java?0.00%?
    SchedulerModule_ProvidesIOSchedulerFactory.java?0.00%?
    SchedulerModule_ProvidesMainThreadSchedulerFactory.java?0.00%?
    Schedulers.java?87.50%?
    Schedulers_Factory.java?0.00%?
    SharedPreferencesUtils.java?40.35%?
    SharedPreferencesUtils_Factory.java?0.00%?
    SystemClock.java?100.00%?
    SystemClockModule.java?0.00%?
    SystemClockModule_ProvidesSystemClockModuleFactory.java?0.00%?
    SystemClock_Factory.java?0.00%?
    TestDeviceHelper.java?100.00%?
    TestDeviceHelper_Factory.java?0.00%?
    Text.java?67.74%?
    TransportClientModule.java?0.00%?
    TransportClientModule_ProvidesMetricsLoggerClientFactory.java?0.00%?
    TriggeredInAppMessage.java?100.00%?
    UniversalComponent.java?0.00%?

  • firebase-messaging

    Overall coverage changed from 84.13% (af1fe93) to 84.10% (1597d7a) by -0.04%.

    FilenameBase (af1fe93)Merge (1597d7a)Diff
    FirebaseMessaging.java76.00%75.60%-0.40%

  • firebase-ml-modeldownloader

    Overall coverage changed from ? (af1fe93) to 82.11% (1597d7a) by ?.

    36 individual files with coverage change

    FilenameBase (af1fe93)Merge (1597d7a)Diff
    AutoFirebaseMlLogEventEncoder.java?100.00%?
    AutoValue_FirebaseMlLogEvent.java?56.60%?
    AutoValue_FirebaseMlLogEvent_DeleteModelLogEvent.java?58.33%?
    AutoValue_FirebaseMlLogEvent_ModelDownloadLogEvent.java?56.96%?
    AutoValue_FirebaseMlLogEvent_ModelDownloadLogEvent_ModelOptions.java?60.00%?
    AutoValue_FirebaseMlLogEvent_ModelDownloadLogEvent_ModelOptions_ModelInfo.java?56.25%?
    AutoValue_FirebaseMlLogEvent_SystemInfo.java?54.93%?
    CustomModel.java?72.13%?
    CustomModelDownloadConditions.java?88.46%?
    CustomModelDownloadService.java?79.89%?
    CustomModelDownloadService_Factory.java?0.00%?
    CustomModel_Factory.java?0.00%?
    CustomModel_Factory_Impl.java?0.00%?
    DaggerModelDownloaderComponent.java?100.00%?
    DataTransportMlEventSender.java?100.00%?
    DataTransportMlEventSender_Factory.java?0.00%?
    DownloadType.java?100.00%?
    FirebaseMlException.java?100.00%?
    FirebaseMlLogEvent.java?97.92%?
    FirebaseMlLogger.java?88.89%?
    FirebaseMlLogger_Factory.java?0.00%?
    FirebaseModelDownloader.java?84.66%?
    FirebaseModelDownloaderRegistrar.java?100.00%?
    FirebaseModelDownloader_Factory.java?0.00%?
    ModelDownloader.kt?91.67%?
    ModelDownloaderComponent.java?25.00%?
    ModelDownloaderComponent_MainModule_AppPackageNameFactory.java?0.00%?
    ModelDownloaderComponent_MainModule_AppVersionCodeFactory.java?0.00%?
    ModelDownloaderComponent_MainModule_FirebaseOptionsFactory.java?0.00%?
    ModelDownloaderComponent_MainModule_PersistenceKeyFactory.java?0.00%?
    ModelFileDownloadService.java?88.46%?
    ModelFileDownloadService_Factory.java?0.00%?
    ModelFileManager.java?82.28%?
    ModelFileManager_Factory.java?0.00%?
    SharedPreferencesUtil.java?97.26%?
    SharedPreferencesUtil_Factory.java?0.00%?

  • firebase-sessions

    Overall coverage changed from 66.63% (af1fe93) to 66.52% (1597d7a) by -0.11%.

    FilenameBase (af1fe93)Merge (1597d7a)Diff
    RemoteSettings.kt88.73%87.32%-1.41%

  • firebase-storage

    Overall coverage changed from ? (af1fe93) to 83.96% (1597d7a) by ?.

    48 individual files with coverage change

    FilenameBase (af1fe93)Merge (1597d7a)Diff
    ActivityLifecycleListener.java?74.14%?
    AdaptiveStreamBuffer.java?84.62%?
    CancelException.java?100.00%?
    CancellableTask.java?100.00%?
    ControllableTask.java?100.00%?
    DeleteNetworkRequest.java?100.00%?
    DeleteStorageTask.java?100.00%?
    ExponentialBackoffSender.java?86.00%?
    FileDownloadTask.java?80.00%?
    FirebaseStorage.java?83.67%?
    FirebaseStorageComponent.java?100.00%?
    GetDownloadUrlTask.java?96.77%?
    GetMetadataNetworkRequest.java?100.00%?
    GetMetadataTask.java?85.19%?
    GetNetworkRequest.java?100.00%?
    HttpURLConnectionFactory.java?0.00%?
    HttpURLConnectionFactoryImpl.java?50.00%?
    ListNetworkRequest.java?100.00%?
    ListResult.java?100.00%?
    ListTask.java?85.71%?
    NetworkRequest.java?87.29%?
    OnPausedListener.java?0.00%?
    OnProgressListener.java?0.00%?
    ResumableNetworkRequest.java?100.00%?
    ResumableUploadByteRequest.java?90.91%?
    ResumableUploadCancelRequest.java?100.00%?
    ResumableUploadQueryRequest.java?100.00%?
    ResumableUploadStartRequest.java?95.24%?
    Slashes.java?88.24%?
    Sleeper.java?0.00%?
    SleeperImpl.java?100.00%?
    SmartHandler.java?92.31%?
    Storage.kt?39.58%?
    StorageException.java?65.45%?
    StorageMetadata.java?86.34%?
    StorageReference.java?89.94%?
    StorageReferenceUri.java?100.00%?
    StorageRegistrar.java?100.00%?
    StorageTask.java?83.38%?
    StorageTaskManager.java?100.00%?
    StorageTaskScheduler.java?95.45%?
    StreamDownloadTask.java?88.89%?
    TaskListenerImpl.java?100.00%?
    TaskState.kt?0.00%?
    UpdateMetadataNetworkRequest.java?100.00%?
    UpdateMetadataTask.java?82.14%?
    UploadTask.java?81.52%?
    Util.java?73.24%?

Test Logs

  1. https://storage.googleapis.com/firebase-sdk-metric-reports/kO4zWEOGvj.html

@rlazo rlazo merged commit 60a021d into main Mar 19, 2025
268 of 271 checks passed
@rlazo rlazo deleted the rl.github.action.pin branch March 19, 2025 21:41
tejasd pushed a commit that referenced this pull request Apr 1, 2025
@rlazo @tejasd
[github actions] Pin actions to hash commits (#6784)
48d5fc6 
Tags can be modified to point to different commits, which is a
security issue. By pinning to specific commits we ensure the code
executing isn't changing.
@firebase firebase locked and limited conversation to collaborators Apr 19, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@daymxn daymxn daymxn approved these changes

Assignees
No one assigned
Labels
size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rlazo @google-oss-bot @dconeybe @daymxn