Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace dependabot with GitHub Action #356

Merged
merged 4 commits into from
Oct 18, 2021
Merged

Replace dependabot with GitHub Action #356

merged 4 commits into from
Oct 18, 2021

Conversation

quietbits
Copy link
Contributor

This will replace multiple issues from dependabot for a few individual dependencies with a single issue to update all of them (which is our practice).

@quietbits quietbits linked an issue Oct 15, 2021 that may be closed by this pull request
Replace dependabot with GitHub Action #355
Closed
@stellar-jenkins
Copy link

Preview is available here:
http://account-viewer-v2-pr356.previews.kube001.services.stellar-ops.com/

leighmcculloch
leighmcculloch reviewed Oct 15, 2021
View reviewed changes
Copy link
Member

@leighmcculloch leighmcculloch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One request (❗), and one suggestion (💡).

.github/workflows/update_deps.yml Outdated
issues: write
steps:
- name: Update dependencies
uses: imjohnbo/issue-bot@v3.3.4
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❗ GitHub had a list of things they recommend we do whenever using third party actions:

  • Pin actions to a full length commit SHA

  • Audit the source code of the action

  • Pin actions to a tag only if you trust the creator

Ref: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Can you do the first two items?

.github/workflows/update_deps.yml Outdated
Comment on lines 19 to 22
Update all project dependencies
```
yarn upgrade-interactive --latest
```
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Do you have a checklist of things you do for the upgrade that we could knowledge share here? Also, it might be helpful to include commands for how you look at diffs of dependencies being upgraded, so everyones process converges for how to do this.

marcelosalloum
marcelosalloum approved these changes Oct 15, 2021
View reviewed changes
Copy link
Contributor

@marcelosalloum marcelosalloum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! I've just added one suggestion to pin the GH Action commit sha instead of its tag. GH Security recommends this:

Pin actions to a full length commit SHA

.github/workflows/update_deps.yml Outdated Show resolved Hide resolved
@quietbits @marcelosalloum
Use commit SHA instead of tag
6a6c9f9 
Co-authored-by: Marcelo Salloum dos Santos <marcelo@stellar.org>
@stellar-jenkins
Copy link

Preview is available here:
http://account-viewer-v2-pr356.previews.kube001.services.stellar-ops.com/

@stellar-jenkins
Copy link

Preview is available here:
http://account-viewer-v2-pr356.previews.kube001.services.stellar-ops.com/

@quietbits quietbits merged commit 2327650 into master Oct 18, 2021
@quietbits quietbits deleted the il-deps-gh-action branch October 18, 2021 18:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leighmcculloch leighmcculloch leighmcculloch approved these changes

@marcelosalloum marcelosalloum marcelosalloum approved these changes

@piyalbasu piyalbasu Awaiting requested review from piyalbasu

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Replace dependabot with GitHub Action
4 participants
@quietbits @stellar-jenkins @leighmcculloch @marcelosalloum