Skip to content

Conversation

@khanhtc1202
Copy link
Contributor

Part of open-telemetry/sig-security#87

Changes

Please provide a brief description of the changes here.

For significant contributions please make sure you have completed the following items:

  • CHANGELOG.md updated for non-trivial changes
  • Unit tests have been added
  • Changes in public API reviewed

step-security-bot and others added 2 commits April 2, 2025 14:10
…urity-remediation

[StepSecurity] ci: Harden GitHub Actions
@khanhtc1202 khanhtc1202 requested a review from a team as a code owner April 2, 2025 14:13
@netlify
Copy link

netlify bot commented Apr 2, 2025

Deploy Preview for opentelemetry-cpp-api-docs canceled.

Name Link
🔨 Latest commit 708104c
🔍 Latest deploy log https://app.netlify.com/sites/opentelemetry-cpp-api-docs/deploys/67ed45ff20fb900008377e32

@marcalff marcalff self-assigned this Apr 2, 2025
@codecov
Copy link

codecov bot commented Apr 2, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 89.56%. Comparing base (c2a9397) to head (708104c).
Report is 1 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main    #3338   +/-   ##
=======================================
  Coverage   89.56%   89.56%           
=======================================
  Files         210      210           
  Lines        6502     6502           
=======================================
  Hits         5823     5823           
  Misses        679      679           
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@marcalff
Copy link
Member

marcalff commented Apr 2, 2025

Thanks for the PR.

[malff@malff-desktop workflows]$ pwd
/home/malff/CODE/SEC_GITHUB/opentelemetry-cpp/.github/workflows
[malff@malff-desktop workflows]$ git log -1
commit 708104cfc36ddaa9de741ae1fd43fa8ebc30904a (HEAD -> main, origin/main, origin/HEAD)
Merge: c2a93976 f81b85cb
Author: Khanh Tran <[email protected]>
Date:   Wed Apr 2 23:11:17 2025 +0900

    Merge pull request #2 from step-security-bot/chore/GHA-021410-stepsecurity-remediation
    
    [StepSecurity] ci: Harden GitHub Actions
[malff@malff-desktop workflows]$ grep "actions/" --no-filename * | sed "s/^ *//g" | sort -u
# https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
issues: write  # for actions/stale to close stale issues
pull-requests: write  # for actions/stale to close stale PRs
run: sudo apt remove needrestart && sudo ./ci/install_format_tools.sh #refer: https://github.com/actions/runner-images/issues/9937
sudo apt remove needrestart #refer: https://github.com/actions/runner-images/issues/9937
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
#    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@v4
- uses: actions/download-artifact@2a5974104b6d5dbdb2f9468a3e54da3bdd241578 # master
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
- uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
- uses: actions/upload-artifact@v4

There are still references to checkout@v4 and upload-artifact@v4 remaining.

Please fix:

[malff@malff-desktop workflows]$ grep "checkout@v4" *
clang-tidy.yaml:      - uses: actions/checkout@v4
iwyu.yml:      - uses: actions/checkout@v4
[malff@malff-desktop workflows]$ grep "upload-artifact@v4" *
clang-tidy.yaml:      - uses: actions/upload-artifact@v4
iwyu.yml:      - uses: actions/upload-artifact@v4

Copy link
Member

@marcalff marcalff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR.

Please fix the remaining references to labels:

[malff@malff-desktop workflows]$ grep "checkout@v4" *
clang-tidy.yaml:      - uses: actions/checkout@v4
iwyu.yml:      - uses: actions/checkout@v4
[malff@malff-desktop workflows]$ grep "upload-artifact@v4" *
clang-tidy.yaml:      - uses: actions/upload-artifact@v4
iwyu.yml:      - uses: actions/upload-artifact@v4

@marcalff
Copy link
Member

marcalff commented Apr 2, 2025

Also, please change the comment from master to v4.6.2 for this one:

actions/download-artifact/commit/2a5974104b6d5dbdb2f9468a3e54da3bdd241578 # master

Verified manually every single commit.

Copy link
Member

@marcalff marcalff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the fix.

Taking the fix as-is, will fix remaining items in a different PR.

@marcalff marcalff merged commit b6630ee into open-telemetry:main Apr 3, 2025
66 checks passed
malkia added a commit to malkia/opentelemetry-cpp that referenced this pull request Apr 3, 2025
[StepSecurity] ci: Harden GitHub Actions (open-telemetry#3338)
@marcalff marcalff changed the title ci: Harden GitHub Actions [CI] Harden GitHub Actions May 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants