Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: pin github actions by hash and update via dependabot #3146

Merged
merged 4 commits into from
Feb 5, 2025
Merged

ci: pin github actions by hash and update via dependabot #3146

merged 4 commits into from
Feb 5, 2025

Conversation

xopham
Copy link
Contributor

@xopham xopham commented Feb 4, 2025
edited
Loading

What does this PR do?

  • Add dependabot for github actions
  • Pin actions by hash

Motivation

Pinning 3rd-party GitHub Actions by commit SHA makes them less vulnerable to compromise of the 3rd party. To avoid outdating and non-verbosity, versions are commented after the SHA and updating via dependabot is introduced that will automatically update the commented version tag as well.

In case of a false commit SHA, this change could break the corresponding workflow. Typically, this does not cause major interruptions, but it can for example affect a release pipeline and require restart causing delays.

Reviewer's Checklist

  • Changed code has unit tests for its functionality at or near 100% coverage.
  • System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
  • There is a benchmark for any new code, or changes to existing code.
  • If this interacts with the agent in a new way, a system test has been added.
  • Add an appropriate team label so this PR gets put in the right place for the release notes.
  • Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild.
  • For internal contributors, a matching PR should be created to the v2-dev branch and reviewed by @DataDog/apm-go.

Unsure? Have a question? Request a review!

@xopham xopham marked this pull request as ready for review February 4, 2025 16:49
@xopham xopham requested review from a team as code owners February 4, 2025 16:49
@pr-commenter
Copy link

pr-commenter bot commented Feb 4, 2025
edited
Loading

Benchmarks

Benchmark execution time: 2025-02-05 14:35:35

Comparing candidate commit 2fb957d in PR branch christoph.hamsen/pin-update-gh-actions with baseline commit e1c213d in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 59 metrics, 0 unstable metrics.

felixge
felixge approved these changes Feb 4, 2025
View reviewed changes
Copy link
Member

@felixge felixge left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks you for identifying the issue, providing a solution, and taking care of reducing future maintenance burden on the engineers working in this repository 🙇.

@xopham xopham force-pushed the christoph.hamsen/pin-update-gh-actions branch from 53b871b to c770bc3 Compare February 5, 2025 11:03
@datadog-datadog-prod-us1
Copy link

datadog-datadog-prod-us1 bot commented Feb 5, 2025
edited
Loading

Datadog Report

Branch report: christoph.hamsen/pin-update-gh-actions
Commit report: f4e0577
Test service: dd-trace-go

✅ 0 Failed, 5222 Passed, 72 Skipped, 1m 57.76s Total Time

@xopham xopham force-pushed the christoph.hamsen/pin-update-gh-actions branch from c155acc to c770bc3 Compare February 5, 2025 12:54
@xopham xopham force-pushed the christoph.hamsen/pin-update-gh-actions branch from c770bc3 to 92818db Compare February 5, 2025 12:54
@felixge felixge enabled auto-merge (squash) February 5, 2025 13:34
@felixge felixge merged commit 829de1b into main Feb 5, 2025
197 checks passed
@felixge felixge deleted the christoph.hamsen/pin-update-gh-actions branch February 5, 2025 14:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@felixge felixge felixge approved these changes

@kakkoyun kakkoyun kakkoyun approved these changes

@hannahkm hannahkm hannahkm approved these changes

@eliottness eliottness eliottness approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@xopham @felixge @kakkoyun @hannahkm @eliottness