pin-github-action icon indicating copy to clipboard operation
pin-github-action copied to clipboard

Published 20 hours ago verified publisher icon mheap

feature request: look up a hash by version

Open lucasgonze opened this issue 2 years ago • 9 comments

Pinning by hash createst UI friction. With a tool like yarn a developer can use the CLI to look up the hash and upgrade the yaml in a terse command - yarn upgrade [email protected]. With pin-github-action the developer has to find the repo, look up the tag of the version they want, copy the hash, and paste the hash into their yaml.

pin-github-action should either:

  1. Be able to upgrade a single dependency using a command similar to yarn
  2. Be able to look up the hash in the CLI, so they can upgrade the yaml by hand

lucasgonze avatar Jun 17 '22 21:06 lucasgonze

If you are in agreement with this feature, I am willing to submit a PR implementing it.

lucasgonze avatar Jun 17 '22 22:06 lucasgonze

@lucasgonze I'm not sure what you're suggesting we implement here. Are you looking for a way to specify a specific version of a dependency, or to update the hash in a workflow for an existing pinned dependency?

mheap avatar Jun 20 '22 16:06 mheap

Let's say you have this:

uses: DoozyX/clang-format-lint-action@9ea72631b74e61ce337d0839a90e76180e997283 # [email protected]

and there exists a 0.14 with hash 1234567.

You issue this command:

node bin.js --update DoozyX/[email protected]

Then the yaml file changes to:

uses: DoozyX/clang-format-lint-action@1234567 # [email protected]

As a simplification, the CLI might simply report on the hash at a given version, in order to save the work of looking up the tag on Github. So this command:

node bin.js --lookup DoozyX/[email protected]

Would return this in the shell:

1234567

lucasgonze avatar Jun 20 '22 17:06 lucasgonze

Thanks for the examples, it makes it much clearer.

What are the benefits of adding support for node bin.js --update DoozyX/[email protected] in addition to updating the YAML to uses: DoozyX/[email protected] then re-running bin.js? This would look up the hash for the new version provided (or you could update [email protected] to [email protected] and re-run bin.js and it would update the hash too

mheap avatar Jun 20 '22 17:06 mheap

My intention with this is to avoid modifying hashes apart from the one named in the parameter.

The reason I would want to only touch the one item is concern that other items might be iterated to a hash that hadn't been vetted, and this would reduce the security of pinning by hash to the same level as pinning by version.

Am I understanding this right?

lucasgonze avatar Jun 20 '22 18:06 lucasgonze

Yep, that's how it would work today.

We currently have an --allow flag to ignore specific actions from being pinned. Would adding an --only flag enable your use case?

# Update a single action
./bin.js --only  DoozyX/clang-format-lint-action

# Or update everything by a user/org
./bin.js --only DoozyX/*

This would pull the latest hash for the version specified in the pin@main comment. If you wanted to manually update the version that you're pinning to, you'd have to update the YAML file.

mheap avatar Jun 21 '22 14:06 mheap

--only would do the job.

I also like the "everything by a user/org" idea, because it allows for very trusted orgs like actions/.

lucasgonze avatar Jun 21 '22 18:06 lucasgonze

FYI: my PR for this feature is not yet ready, but I have submitted a couple other trivial features that became useful during development.

lucasgonze avatar Jun 24 '22 02:06 lucasgonze

Slightly off-topic, but github's Dependabot can not update github actions pinned by SHA if there is an appropriately formatted comment. See https://github.blog/changelog/2022-10-31-dependabot-now-updates-comments-in-github-actions-workflows-referencing-action-versions/

zeisss avatar Jul 06 '23 11:07 zeisss