-
-
Notifications
You must be signed in to change notification settings - Fork 16.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve pipelines #5432
base: master
Are you sure you want to change the base?
Improve pipelines #5432
Conversation
What is the npmCommand warnings referring to in that report output? |
I think the issue is with Take in account that until we don't merge #5431 we are depending on the OSSF Scorecard CRON job to update the results. So the last scanned commit was 0e3ab6e, here is the visual report |
Do we know if the dependabot updates (assuming we decide to use that) for these versions will take into account semverness? I know it doesn't normally (which is soooooo annoying and broken) but I thought there was a setting to disallow majors, I am not sure that would work with commit hashes. Not blocking at all, but the more we lean into these the more general maintenance we need to do. IMO a better way is to move this kind of stuff to a shared workflow in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added suggestions for latest versions of pinned GitHub actions.
Dependabot should ignore deps pinned to commits. It just doesn't know what to do with them, so it will skip them. |
So the problem then is we don't get any updates. Which is maybe fine, but still this is a bad DX imo. |
Pinning these deps is part of the scorecard score and guidance recommendations, hence why they have been proposed this way. |
Yeah I get that, doesnt help make it any less of a UX problem though right? We still need to update them on a regular basis. |
Co-authored-by: Íñigo Marquínez Prado <[email protected]>
Co-authored-by: Íñigo Marquínez Prado <[email protected]>
Co-authored-by: Íñigo Marquínez Prado <[email protected]>
@inigomarquinez I think that updating the dependencies might break the pipelines, I will have a look into it. |
Yes, it should support this approach. The comment is just to make it more human readable. The reason why we need to use commit hashes and not the tag reference directly is because the tags are not immutable so we can end up running something different that what we expect. |
|
Frankly seeing this same change in many repos is going to not be something I am interested in dealing with. I am border line on this, but I think I am leaning toward: This shouldn't land until there is a way to centrally manage this across all the repos with a single update. Which I think means that we should refactor many of the CICD setups to use shared worfklows from the |
Main Changes
This change include the pinning for the GItHub Actions dependencies (ce959ac) and the permissions definition for the pipeline (ea604fb)
Impact in the OSSF Scorecard
Context
Changes related
Team discussion related
Changelog