jamulus icon indicating copy to clipboard operation
jamulus copied to clipboard

Published 20 hours ago verified publisher icon jamulussoftware

CI: Pin Github action dependencies

Open hoffie opened this issue 1 year ago • 2 comments

Short description of changes

External dependencies should only be updated after manual review for security reasons (#1737). In addition, they need to be stable during the release process.

  • dev-drprasad/delete-tag-and-release is updated from v0.1.2 to v0.2.0 (via hash); diff has been reviewed
  • devbotsxyz/xcode-staple is unchanged at the latest v1 commit
  • maxim-lobanov/setup-xcode is unchanged at the latest v1 commit

github/* and action/* dependencies are kept as-is as they are considered trusted due to their official status and the inevitable dependency and trust on Github.

CHANGELOG: SKIP

Context: Fixes an issue?

Related: #1737

Does this change need documentation? What needs to be documented and how?

This specific change does not need documentation. The general need to pin Action dependencies should be documented. This is being tracked in #1737.

Status of this Pull Request

Ready.

What is missing until this pull request can be merged?

Reviews.

cc @emlynmac as two signing-related deps are affected.

Checklist

  • [x] I've verified that this Pull Request follows the general code principles
  • [x] I tested my code and it does what I want
  • [x] My code follows the style guide
  • [x] I waited some time after this Pull Request was opened and all GitHub checks completed without errors.
  • [x] I've filled all the content above

Test for completeness after this PR (no tag-based pinning for non-official deps anymore):

$ grep uses.*@ .github/workflows/* | grep -vP ':.*(actions|github)/'
.github/workflows/autobuild.yml:        uses:                       dev-drprasad/delete-tag-and-release@085c6969f18bad0de1b9f3fe6692a3cd01f64fe5
.github/workflows/autobuild.yml:        uses:                       maxim-lobanov/setup-xcode@4aa4176a819ae7c019451acfda0bba67bffc6704
.github/workflows/autobuild.yml:        uses:                       devbotsxyz/xcode-notarize@d7219e1c390b47db8bab0f6b4fc1e3b7943e4b3b
.github/workflows/autobuild.yml:        uses:                       devbotsxyz/xcode-staple@ae68b22ca35d15864b7f7923e1a166533b2944bf
.github/workflows/coding-style-check.yml:      uses: DoozyX/clang-format-lint-action@2a28e3a8d9553f244243f7e1ff94f6685dff87be

hoffie avatar Aug 12 '22 12:08 hoffie

Did you check that a release still works correctly? I'd assume yes since nothing big changes. Probably it's worth testing it in combination with the signing.

ann0see avatar Aug 12 '22 20:08 ann0see

Did you check that a release still works correctly? I'd assume yes since nothing big changes.

I've confirmed equality for the two xcode-related actions. I have reviewed the diff for the delete-tag-and-release action and have just kicked off two test runs:

Probably it's worth testing it in combination with the signing.

I don't expect any breakage there. We are literally pinning the very version which had been used for the 3.9.0 release.

hoffie avatar Aug 12 '22 21:08 hoffie