Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: github: Add workflow to ensure all GH actions are pinned #87487

Merged
merged 1 commit into from
Mar 25, 2025
Merged

ci: github: Add workflow to ensure all GH actions are pinned #87487

merged 1 commit into from
Mar 25, 2025
+19 −0

Conversation

kartben
Copy link
Collaborator

@kartben kartben commented Mar 21, 2025

This commit introduces a new workflow that checks all GitHub Actions in our workflows are SHA-pinned.

@kartben kartben force-pushed the enforce_pinned_actions branch 2 times, most recently from 42e512d to 0ca1811 Compare March 21, 2025 16:56
@kartben kartben marked this pull request as ready for review March 21, 2025 16:57
@kartben kartben requested a review from pdgendt March 21, 2025 16:59
pdgendt
pdgendt previously approved these changes Mar 21, 2025
View reviewed changes
Copy link
Collaborator

@pdgendt pdgendt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 if it does what it states it does :)

@kartben
Copy link
Collaborator Author

kartben commented Mar 21, 2025

+1 if it does what it states it does :)

yeah -- tested in my fork and seems to do the job :)

fabiobaltieri
fabiobaltieri reviewed Mar 21, 2025
View reviewed changes
.github/workflows/pinned-gh-actions.yml Outdated
Comment on lines 5 to 8
types:
- edited
- opened
- reopened
- synchronize
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

drop, you don't need edited, that's for rerunning it when the comment is edited, the other three are the default, I'm taking that you copied this block from the compliance workflow, there's a step there that checks that the comment is not empty so it needs edited to work correctly but nothing else should have it

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm taking that you copied this block from the compliance workflow

bingo :)

Copy link
Member

@fabiobaltieri fabiobaltieri Mar 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry I meant drop the whole block, the one you want are the default, just leave

on:
  pull_request:
    paths:
...

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah - done

@kartben kartben force-pushed the enforce_pinned_actions branch from 0ca1811 to ad5ec03 Compare March 21, 2025 17:24
@kartben
ci: github: Add workflow to ensure all GH actions are pinned
d4cf5cd 
This commit introduces a new workflow that checks for SHA-pinned GitHub
Actions on pull requests.

Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
@kartben kartben force-pushed the enforce_pinned_actions branch from ad5ec03 to d4cf5cd Compare March 21, 2025 17:31
@kartben kartben merged commit 9b60782 into zephyrproject-rtos:main Mar 25, 2025
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nashif nashif

@fabiobaltieri fabiobaltieri

@pdgendt pdgendt

@stephanosio stephanosio

Assignees

@nashif nashif

@stephanosio stephanosio

Labels
area: Continuous Integration
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@kartben @nashif @fabiobaltieri @pdgendt @stephanosio @zephyrbot