Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update GitHub Action documentation for Docker image stability and security #1042

Merged
merged 2 commits into from
Jul 17, 2024
Merged

Update GitHub Action documentation for Docker image stability and security #1042

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
05f3fa5
docs: Update GitHub Action documentation to specify Docker image on D…
5000164 Jul 16, 2024
80bbe23
docs: Add note to pin Docker image by its digest for enhanced security
5000164 Jul 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 12 additions & 2 deletions docs/docs/installation/github.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,23 @@ jobs:
```


if you want to pin your action to a specific release (v2.0 for example) for stability reasons, use:
if you want to pin your action to a specific release (v0.23 for example) for stability reasons, use:
```yaml
...
steps:
- name: PR Agent action step
id: pragent
uses: Codium-ai/pr-agent@v2.0
uses: docker://codiumai/pr-agent:0.23-github_action
...
```

For enhanced security, you can also specify the Docker image by its digest:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove the "enhanced security".
its a bit confusing. It will not protect you from cyber attacks.
you mean to say that it ensures without a doubt that the docker will be freezed (although in practice the v0... models are freezed anyway)

you can also specify the Docker image by its digest:

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean specifying the Docker image digest enhances security because it is effective in preventing supply chain attacks.
If the term "enhanced security" is confusing, would it be clearer to phrase it as "to prevent supply chain attacks"?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you know what, its ok. thanks for the PR

```yaml
...
steps:
- name: PR Agent action step
id: pragent
uses: docker://codiumai/pr-agent@sha256:14165e525678ace7d9b51cda8652c2d74abb4e1d76b57c4a6ccaeba84663cc64
Copy link
Collaborator

@mrT23 mrT23 Jul 16, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add a link to digest, to explain how you found the SHA. It is not trivial

[digest](https://hub.docker.com/layers/codiumai/pr-agent/0.23-github_action/images/sha256-14165e525678ace7d9b51cda8652c2d74abb4e1d76b57c4a6ccaeba84663cc64?context=repo)

...
```

Expand Down