Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update github workflows to use latest version of checkout and setup-python #2000

Merged
merged 1 commit into from
Feb 23, 2024

Conversation

sjha2048
Copy link
Contributor

Checklist

closes #1967

  • No CHANGELOG update needed
  • No new tests needed
  • No documentation update needed

Copy link
Collaborator

@mr-tz mr-tz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great thank you! what about this release https://github.com/actions/checkout/releases/tag/v4.1.1?

could you also update the setup-python action, see the annotations/warnings, e.g. here: https://github.com/mandiant/capa/actions/runs/8001733292

@sjha2048
Copy link
Contributor Author

hi @mr-tz, any particular reason for using commit hashes instead of version numbers?

could you also update the setup-python action

sure.

@mr-tz
Copy link
Collaborator

mr-tz commented Feb 22, 2024

Thanks, see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

@sjha2048
Copy link
Contributor Author

TIL!
Thanks, will update shortly.

@sjha2048 sjha2048 force-pushed the chore/updateGithubActions branch from 77644b1 to 7f6d3cd Compare February 22, 2024 15:26
@sjha2048 sjha2048 requested a review from mr-tz February 22, 2024 15:26
@sjha2048 sjha2048 changed the title update github workflows to use latest version of checkout update github workflows to use latest version of checkout and setup-python Feb 22, 2024
@mr-tz
Copy link
Collaborator

mr-tz commented Feb 22, 2024

Thanks, there's still a few to fix in the build and CI workflows. Let me know if you want to fix them as well or if we should track them separately.

@sjha2048
Copy link
Contributor Author

works for me either way, can you help me in listing them?
I'll also go though the logs, if there are too many changes then I'll raise separate PRs

@mr-tz
Copy link
Collaborator

mr-tz commented Feb 22, 2024

Screenshot 2024-02-22 9 58 00 PM
Screenshot 2024-02-22 9 57 51 PM

…(checkout, setup-python, upload-artifact, download-artifact)
@sjha2048 sjha2048 force-pushed the chore/updateGithubActions branch from 7f6d3cd to 5e85fc9 Compare February 22, 2024 21:27
@sjha2048
Copy link
Contributor Author

@mr-tz I have updated these actions.

Copy link
Collaborator

@mr-tz mr-tz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thank you!

@mr-tz mr-tz merged commit 8af3a19 into mandiant:master Feb 23, 2024
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Update deprecated checkout Actions
2 participants