Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Consider not advocating using action from main #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
matthewfeickert opened this issue May 26, 2023 · 4 comments · Fixed by #13
Closed

Consider not advocating using action from main #7

matthewfeickert opened this issue May 26, 2023 · 4 comments · Fixed by #13

Comments

@matthewfeickert
Copy link
Member

matthewfeickert commented May 26, 2023
edited
Loading

At the moment the v0.1.0 docs advocate that users use the action from main and not from a specific tag.

upload-nightly-action/README.md

Lines 10 to 17 in 80af44f

jobs:
steps:
...
- name: Upload wheel
uses: scientific-python/upload-nightly-action@main
with:
artifacts_path: dist
anaconda_nightly_upload_token: ${{secrets.UPLOAD_TOKEN}}

This seems like a security issue that should be avoided and that @webknjaz has discussed before for https://github.com/pypa/gh-action-pypi-publish.

A more secure option is to advocate that users use release tags and dependabot to check for updates to the GitHub Actions that they use and then consider from the PR if the update in the tag is something they are ready to accept. Example .github/dependabot.yml (taken from Scikit-HEP developer recommendations (thanks @henryiii!)):

version: 2
updates:
  # Maintain dependencies for GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
@webknjaz
Copy link

FWIW the safest way is to pin commit hashes. Dependabot knows how to bump them for as long as they are tagged..

@henryiii
Copy link

(And can add a comment with the tag name)

@matthewfeickert
Copy link
Member Author

@henryiii that's neat — I didn't know that. Do you have an example you can share that I can look at for reference?

@henryiii
Copy link

dependabot/dependabot-core#4691 (comment)

This was referenced May 31, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

DOC: Advocate for using action from tagged release commit shas matthewfeickert/upload-nightly-action
3 participants
@webknjaz @henryiii @matthewfeickert