The current Github actions used in the test and build workflow are outdated and cause the following warnings:
The following actions uses Node.js version which is deprecated and will be forced to run on node20: actions/checkout@v3, actions/setup-python@v4, actions/upload-artifact@v3
The following artifacts were uploaded using a version of actions/upload-artifact that is scheduled for deprecation: "ci-artifacts"
This PR therefore updates all actions and additionally pins them to their exact git sha1 (with human readable version as comment). This is done for security reasons as plain versions are git tags and thus are mutable = can influence the workflow outcome if manipulated.
An added dependabot config helps to keep those actions up-to-date and makes it much easier as no person has to deal with manually updating action sha1s. Merging this PR results in the creation of automatic update PRs by dependebot as can be seen here https://github.com/dbast/seedsigner/pull/8
Description
Describe the change simply. Provide a reason for the change.
Include screenshots of any new or modified screens (or at least explain why they were omitted)
This pull request is categorized as a:
[ ] New feature
[ ] Bug fix
[ ] Code refactor
[ ] Documentation
[ ] Other
Checklist
[ ] I’ve run pytest and made sure all unit tests pass before sumbitting the PR
If you modified or added functionality/workflow, did you add new unit tests?
[ ] No, I’m a fool
[ ] Yes
[x] N/A
I have tested this PR on the following platforms/os:
Note: Keep your changes limited in scope; if you uncover other issues or improvements along the way, ideally submit those as a separate PR. The more complicated the PR the harder to review, test, and merge.
The current Github actions used in the test and build workflow are outdated and cause the following warnings:
see e.g. https://github.com/SeedSigner/seedsigner/actions/runs/9842707509
This PR therefore updates all actions and additionally pins them to their exact git sha1 (with human readable version as comment). This is done for security reasons as plain versions are git tags and thus are mutable = can influence the workflow outcome if manipulated.
see also https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
An added dependabot config helps to keep those actions up-to-date and makes it much easier as no person has to deal with manually updating action sha1s. Merging this PR results in the creation of automatic update PRs by dependebot as can be seen here https://github.com/dbast/seedsigner/pull/8
Description
Describe the change simply. Provide a reason for the change.
Include screenshots of any new or modified screens (or at least explain why they were omitted)
This pull request is categorized as a:
Checklist
pytestand made sure all unit tests pass before sumbitting the PRIf you modified or added functionality/workflow, did you add new unit tests?
I have tested this PR on the following platforms/os:
Note: Keep your changes limited in scope; if you uncover other issues or improvements along the way, ideally submit those as a separate PR. The more complicated the PR the harder to review, test, and merge.