Skip to content

Bump trakx/github-actions from 10.1.2 to 10.2.1 #177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Bump trakx/github-actions from 10.1.2 to 10.2.1 #177

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 11, 2024

Bumps trakx/github-actions from 10.1.2 to 10.2.1.

Commits
  • d9bcd74 Merge pull request #117 from trakx/dev
  • 7c8ae6d Merge pull request #116 from trakx/merge/master-241108-1430
  • af9326c Merge branch 'master' into merge/master-241108-1430
  • 84867e4 fix/restore-dotnet-test-loop (#115)
  • 09e053d Dev ➡️ Master - v10.2.0 (#113)
  • c54024b Merge pull request #114 from trakx/merge/master-241108
  • 3a7ba69 Merge branch 'master' into merge/master-241108
  • 98db7a5 remove .NET version defaults (#112)
  • 44df714 Remove extra restores, unnecessary loops for dotnet and codacy (#110)
  • 8b53c33 Merge pull request #111 from trakx/feature/dotnet-8-as-default
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump trakx/github-actions from 10.1.2 to 10.2.1
356fa4e 
Bumps [trakx/github-actions](https://github.com/trakx/github-actions) from 10.1.2 to 10.2.1.
- [Release notes](https://github.com/trakx/github-actions/releases)
- [Commits](trakx/github-actions@v10.1.2...v10.2.1)

---
updated-dependencies:
- dependency-name: trakx/github-actions
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Nov 11, 2024
@dependabot dependabot bot mentioned this pull request Nov 11, 2024
Closed
@github-actions github-actions bot enabled auto-merge (squash) November 11, 2024 02:17
codacy-production[bot]
codacy-production bot reviewed Nov 11, 2024
View reviewed changes
.github/workflows/nuget.yml
- name: Build and publish nuget packages
id: publish
uses: trakx/github-actions/publish-nuget@v10.1.2
uses: trakx/github-actions/publish-nuget@v10.2.1
Copy link

@codacy-production codacy-production bot Nov 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Codacy found a medium Security issue: An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.

The issue identified by the Semgrep linter is that the GitHub Action is being referenced by a version tag (v10.2.1) instead of a full-length commit SHA. This can lead to security vulnerabilities because the action could change if the repository owner updates the tagged version. Pinning to a specific commit SHA ensures that the action remains immutable and prevents unintentional changes that could introduce vulnerabilities or bugs.

To fix this issue, you should replace the version tag with the full commit SHA of the action you want to use.

Here's the code suggestion to address the issue:

Suggested change
uses: trakx/github-actions/publish-nuget@v10.2.1
uses: trakx/github-actions/publish-nuget@<full-length-commit-sha>

Make sure to replace <full-length-commit-sha> with the actual SHA of the commit you want to pin to.

This comment was generated by an experimental AI tool.

codacy-production[bot]
codacy-production bot reviewed Nov 11, 2024
View reviewed changes
.github/workflows/test.yml
- name: Test and cover solutions
id: test
uses: trakx/github-actions/test-dotnet@v10.1.2
uses: trakx/github-actions/test-dotnet@v10.2.1
Copy link

@codacy-production codacy-production bot Nov 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Codacy found a medium Security issue: An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.

The issue identified by the Semgrep linter is related to the use of a GitHub Action that is sourced from a third-party repository. The action is currently pinned to a version tag (v10.2.1), which can lead to potential security vulnerabilities or unexpected changes if the action is updated in the upstream repository. To mitigate this risk, it's recommended to pin the action to a full-length commit SHA, which provides a specific and immutable reference to the code being executed.

To fix the issue, you should replace the version tag with the full-length commit SHA of the action you intend to use. Assuming you have the commit SHA (e.g., abc123def456...), the code suggestion would look like this:

Suggested change
uses: trakx/github-actions/test-dotnet@v10.2.1
uses: trakx/github-actions/test-dotnet@abc123def456

Make sure to replace abc123def456 with the actual commit SHA of the trakx/github-actions/test-dotnet repository that corresponds to the version you want to use.

This comment was generated by an experimental AI tool.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

+1 more reviewer

@codacy-production codacy-production[bot] codacy-production[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant