ci: pin danger action to full-length commit SHA #4753
Conversation
|
@sentry review |
![sentry[bot]](https://avatars.githubusercontent.com/u/1396951?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: getsentry/github-workflows/danger@v3 | ||
| - uses: getsentry/github-workflows/danger@13be9bec4ec5cd67061b747972b996e9c80f4f3b # 3.1.0 |
There was a problem hiding this comment.
The update to pin the danger action to a specific commit SHA (13be9bec4ec5cd67061b747972b996e9c80f4f3b) is a good practice for enhancing security and reproducibility. This ensures that the workflow always runs with the exact same action code, preventing unexpected changes from upstream updates to the @v3 tag.
However, this approach also means that any future bug fixes or security patches released by the getsentry/github-workflows/danger action maintainers (within the 3.x series) will not be automatically applied. These updates will require a manual change to the SHA in this workflow.
Given the inline comment # 3.1.0, it suggests an intent to use version 3.1.0. If the primary goal is to track this specific minor version and automatically receive patch updates, consider using @v3.1.0 instead of the full SHA. This offers a balance between stability and ease of maintenance. If absolute immutability is the highest priority, then the current SHA pinning is appropriate, but be mindful of the need for manual updates for any patches.
Severity: MEDIUM
🤖 Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: .github/workflows/danger.yml#L11
Potential issue: The update to pin the `danger` action to a specific commit SHA
(`13be9bec4ec5cd67061b747972b996e9c80f4f3b`) is a good practice for enhancing security
and reproducibility. This ensures that the workflow always runs with the exact same
action code, preventing unexpected changes from upstream updates to the `@v3` tag.
However, this approach also means that any future bug fixes or security patches released
by the `getsentry/github-workflows/danger` action maintainers (within the `3.x` series)
will not be automatically applied. These updates will require a manual change to the SHA
in this workflow.
Given the inline comment `# 3.1.0`, it suggests an intent to use version 3.1.0. If the
primary goal is to track this specific minor version and automatically receive patch
updates, consider using `@v3.1.0` instead of the full SHA. This offers a balance between
stability and ease of maintenance. If absolute immutability is the highest priority,
then the current SHA pinning is appropriate, but be mindful of the need for manual
updates for any patches.
Did we get this right? 👍 / 👎 to inform future reviews.
Reference_id: 2803320
There was a problem hiding this comment.
@dependabot is automatically updating GitHub actions.
See e.g. #4715.
It's also updating the version-comment appropriately.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4753 +/- ##
==========================================
+ Coverage 73.69% 73.70% +0.01%
==========================================
Files 476 476
Lines 17443 17443
Branches 3453 3453
==========================================
+ Hits 12854 12856 +2
+ Misses 3741 3740 -1
+ Partials 848 847 -1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
I noticed that the "Danger" action is not pinned to the full-length commit SHA.
This is a follow-up to issue #4540 (PR #4562).