Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hash-pin workflow dependencies #26338

Merged
merged 2 commits into from
Jun 29, 2023
Merged

Hash-pin workflow dependencies #26338

merged 2 commits into from
Jun 29, 2023

Conversation

pnacht
Copy link
Contributor

@pnacht pnacht commented Jun 27, 2023

Fixed #26337

Description

As described in the linked issue, this PR hash-pins all workflow Actions to ensure they are immutable. Renovatebot is also set up to ensure Actions remain hash-pinned and updated.

The hashes were obtained by renovatebot (see its PR in my fork).

This contribution is funded by Google

pnacht and others added 2 commits June 27, 2023 14:28
@Mugen87 Mugen87 added this to the r154 milestone Jun 27, 2023
@pnacht pnacht changed the title Pinned deps Hash-pin workflow dependencies Jun 28, 2023
@mrdoob mrdoob merged commit b637cbf into mrdoob:dev Jun 29, 2023
@mrdoob
Copy link
Owner

mrdoob commented Jun 29, 2023

Out of curiosity... Does this create extra maintenance? Do we ever need to change the hashes?

@donmccurdy
Copy link
Collaborator

The Renovate bot will update dependencies in .github/workflows/ci.yml like it does those in package.json, e.g. if an action updates from v2 to v3. I haven't run it with hashes before, but would assume it can keep those updated as well...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Hash-pin workflow Actions
4 participants