Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[CI] Harden GitHub Actions #3338

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 3, 2025
Merged

[CI] Harden GitHub Actions #3338

merged 2 commits into from
Apr 3, 2025

Conversation

khanhtc1202
Copy link
Contributor

Part of open-telemetry/sig-security#87

Changes

Please provide a brief description of the changes here.

For significant contributions please make sure you have completed the following items:

  • CHANGELOG.md updated for non-trivial changes
  • Unit tests have been added
  • Changes in public API reviewed

step-security-bot and others added 2 commits April 2, 2025 14:10
@step-security-bot
[StepSecurity] ci: Harden GitHub Actions
f81b85c 
Signed-off-by: StepSecurity Bot <[email protected]>
@khanhtc1202
Merge pull request #2 from step-security-bot/chore/GHA-021410-stepsec…
708104c 
…urity-remediation

[StepSecurity] ci: Harden GitHub Actions
@khanhtc1202 khanhtc1202 requested a review from a team as a code owner April 2, 2025 14:13
@netlify Netlify
Copy link

netlify bot commented Apr 2, 2025
edited
Loading

Deploy Preview for opentelemetry-cpp-api-docs canceled.

Name Link
🔨 Latest commit 708104c
🔍 Latest deploy log https://app.netlify.com/sites/opentelemetry-cpp-api-docs/deploys/67ed45ff20fb900008377e32

@marcalff marcalff self-assigned this Apr 2, 2025
@codecov Codecov
Copy link

codecov bot commented Apr 2, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 89.56%. Comparing base (c2a9397) to head (708104c).
Report is 1 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main    #3338   +/-   ##
=======================================
  Coverage   89.56%   89.56%           
=======================================
  Files         210      210           
  Lines        6502     6502           
=======================================
  Hits         5823     5823           
  Misses        679      679
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@marcalff
Copy link
Member

marcalff commented Apr 2, 2025

Thanks for the PR.

[malff@malff-desktop workflows]$ pwd
/home/malff/CODE/SEC_GITHUB/opentelemetry-cpp/.github/workflows
[malff@malff-desktop workflows]$ git log -1
commit 708104cfc36ddaa9de741ae1fd43fa8ebc30904a (HEAD -> main, origin/main, origin/HEAD)
Merge: c2a93976 f81b85cb
Author: Khanh Tran <[email protected]>
Date:   Wed Apr 2 23:11:17 2025 +0900

    Merge pull request #2 from step-security-bot/chore/GHA-021410-stepsecurity-remediation
    
    [StepSecurity] ci: Harden GitHub Actions
[malff@malff-desktop workflows]$ grep "actions/" --no-filename * | sed "s/^ *//g" | sort -u
# https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
issues: write  # for actions/stale to close stale issues
pull-requests: write  # for actions/stale to close stale PRs
run: sudo apt remove needrestart && sudo ./ci/install_format_tools.sh #refer: https://github.com/actions/runner-images/issues/9937
sudo apt remove needrestart #refer: https://github.com/actions/runner-images/issues/9937
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
#    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@v4
- uses: actions/download-artifact@2a5974104b6d5dbdb2f9468a3e54da3bdd241578 # master
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
- uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
- uses: actions/upload-artifact@v4

There are still references to checkout@v4 and upload-artifact@v4 remaining.

Please fix:

[malff@malff-desktop workflows]$ grep "checkout@v4" *
clang-tidy.yaml:      - uses: actions/checkout@v4
iwyu.yml:      - uses: actions/checkout@v4
[malff@malff-desktop workflows]$ grep "upload-artifact@v4" *
clang-tidy.yaml:      - uses: actions/upload-artifact@v4
iwyu.yml:      - uses: actions/upload-artifact@v4

marcalff
marcalff requested changes Apr 2, 2025
View reviewed changes
Copy link
Member

@marcalff marcalff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR.

Please fix the remaining references to labels:

[malff@malff-desktop workflows]$ grep "checkout@v4" *
clang-tidy.yaml:      - uses: actions/checkout@v4
iwyu.yml:      - uses: actions/checkout@v4
[malff@malff-desktop workflows]$ grep "upload-artifact@v4" *
clang-tidy.yaml:      - uses: actions/upload-artifact@v4
iwyu.yml:      - uses: actions/upload-artifact@v4

@marcalff
Copy link
Member

marcalff commented Apr 2, 2025

Also, please change the comment from master to v4.6.2 for this one:

actions/download-artifact/commit/2a5974104b6d5dbdb2f9468a3e54da3bdd241578 # master

Verified manually every single commit.

marcalff
marcalff approved these changes Apr 3, 2025
View reviewed changes
Copy link
Member

@marcalff marcalff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the fix.

Taking the fix as-is, will fix remaining items in a different PR.

@marcalff marcalff merged commit b6630ee into open-telemetry:main Apr 3, 2025
66 checks passed
@marcalff marcalff mentioned this pull request Apr 3, 2025
Merged
3 tasks
malkia added a commit to malkia/opentelemetry-cpp that referenced this pull request Apr 3, 2025
@malkia
Merge pull request #231 from open-telemetry/main
339bb22 
[StepSecurity] ci: Harden GitHub Actions (open-telemetry#3338)
@marcalff marcalff mentioned this pull request Apr 7, 2025
Closed
@marcalff marcalff changed the title ci: Harden GitHub Actions [CI] Harden GitHub Actions May 26, 2025
@BrewTestBot BrewTestBot mentioned this pull request May 29, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcalff marcalff marcalff approved these changes

Assignees

@marcalff marcalff

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@khanhtc1202 @marcalff @step-security-bot