Skip to content

ci: pin hashes for workflow dependencies #3326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 15, 2025
Merged

ci: pin hashes for workflow dependencies #3326

merged 4 commits into from
Apr 15, 2025

Conversation

jharvey10
Copy link
Contributor

@jharvey10 jharvey10 commented Apr 14, 2025
edited
Loading

As per recommended security guidelines, this PR pins all workflow dependencies to specific hashes. Updates will be handled by renovatebot.

Also updates some .yaml workflow files to .yml like the rest.

Big "thank you" to this tool for easing this transition:
https://github.com/mheap/pin-github-action

@jharvey10 jharvey10 requested review from jdbaldry and a team as code owners April 14, 2025 20:53
jharvey10
jharvey10 commented Apr 14, 2025
View reviewed changes
jdbaldry
jdbaldry approved these changes Apr 15, 2025
View reviewed changes
Copy link
Contributor

@jdbaldry jdbaldry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

publish-technical-documentation-.+ and update-make-docs workflows look good to me.

.github/workflows/publish-technical-documentation-release.yml
with:
fetch-depth: 0
- uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v1
- uses: grafana/writers-toolkit/publish-technical-documentation-release@d83ba5389fb8de1458b12bcc35ad4a4059883029 # publish-technical-documentation-release/v1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me know if you have any trouble with this. I have a memory that Renovate doesn't understand tags like <PREFIX>/<SEMANTIC VERSION> and only supports dash separated prefix and version.

I'd prefer to not change the versioning format so if this turns out to be the case, I'll look to submit a patch to support this format but absolutely re-tag Writers' Toolkit if we need to.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 I'll keep an eye on it! I know within renovate we can do custom versioning syntax based on regular expressions, so I think there's a way to make it work; it'll just depend on whether or not this is supported out of the box.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, should clarify that I think my memory pertains specifically to the GitHub Actions version logic that you get out of the box. Let's see how it goes :)

@jharvey10 jharvey10 enabled auto-merge (squash) April 15, 2025 13:50
@jharvey10 jharvey10 merged commit e2c8ed9 into main Apr 15, 2025
39 checks passed
@jharvey10 jharvey10 deleted the ci/renovate-config-updates branch April 15, 2025 14:08
@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 16, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jdbaldry jdbaldry jdbaldry approved these changes

@dehaansa dehaansa dehaansa approved these changes

@thampiotr thampiotr thampiotr approved these changes

Assignees
No one assigned
Labels
frozen-due-to-age
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jharvey10 @dehaansa @jdbaldry @thampiotr