Hash-pin some action references, add dependency cooldowns#3000
Hash-pin some action references, add dependency cooldowns#3000woodruffw wants to merge 5 commits intorust-lang:masterfrom
Conversation
rustbot
added
the
S-waiting-on-review
This comment has been minimized.
This comment has been minimized.
|
Thanks for the PR! I’ve added zizmor to CI in #3001, so could you rebase to master and remove the unpinned-uses configuration? I think we can use hash-pin for ones that currently using branch in the same way as taiki-e/github-actions@90dc768. Also, since Dependabot gets a bit noisy when hash-pin is used, I'd appreciate it if grouped updates could be enabled as well like taiki-e/github-actions@f3fa089. |
|
Thanks for the review! Yeah, I'll deconflict and follow your suggestions for the other bits 🙂 |
Signed-off-by: William Woodruff <william@yossarian.net>
Signed-off-by: William Woodruff <william@yossarian.net> Remove dupes Signed-off-by: William Woodruff <william@yossarian.net>
|
This PR was rebased onto a different master commit. Here's a range-diff highlighting what actually changed. Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers. |
Signed-off-by: William Woodruff <william@yossarian.net>
Signed-off-by: William Woodruff <william@yossarian.net>
Signed-off-by: William Woodruff <william@yossarian.net>
| - name: Install Rust | ||
| uses: taiki-e/github-actions/install-rust@nightly | ||
| - uses: taiki-e/setup-cross-toolchain-action@v1 | ||
| uses: taiki-e/github-actions/install-rust@4defe325132c540b152e731162b9067fab71ec21 # nightly # zizmor: ignore[stale-action-refs] |
There was a problem hiding this comment.
Handling of branches other than main is similar to taiki-e/install-action's @<tool_name> tags and dtolnay/rust-toolchain's @<rust_version> branches, so here I would like to use @<hash> # main and toolchain: nightly.
FYI, I recently documented in the install-action readme why I don’t recommend using hash-pin for this kind of tags/branches:
https://github.com/taiki-e/install-action?tab=readme-ov-file#security
Pinning
@<tool_name>tags by hash is strongly discouraged, as it causes the workflow to reference a commit that is not present on the repository when a new version is released.
3 participants
This uses
pinact run -vto hash-pin some (but not all) of futures-rs's actions dependencies; some of the actions used by the CI are not trivial to pin automatically and require manual consideration (liketaiki-e/github-actions/install-rust@nightly).Separately, I've added cooldown settings to each of the configured Dependabot groups; this won't slow the actual update cadence but will prevent updates until each dependency is at least a week old, which gives security practitioners and scanners a bit of time to discover malware before it can propagate through the ecosystem.
(I've split these into separate commits to hopefully make them easier to review!)