github-actions[bot]
commented
3 months ago [puLL-Merge] - actions/checkout@v4.1.1..v4.1.3
Here is my code review for this PR:
Description
This PR makes several changes and improvements to the actions/checkout codebase:
- Adds the ability to disable sparse checkout in an existing checkout
- Updates dependencies like
actions/checkoutin workflows to more stable versions - Introduces a new
test-ubuntu-gitcontainer image for testing actions/checkout in CI/CD - Adds support for configuring the SSH user when using SSH key auth
- Bumps the required minimum Git version for sparse checkout to 2.28
The motivation seems to be improving the robustness and configurability of the action, especially around newer Git features like sparse checkout.
Changes
### Changes - `.github/workflows/test.yml` - Adds a new job to test disabling sparse checkout - Updates container image for `test-proxy` job - `.github/workflows/update-main-version.yml` - Pins `actions/checkout` to v4.1.1 for stability/rollback - `README.md` - Documents new `ssh-user` input - `action.yml` - Defines new `ssh-user` input - `src/` - `git-command-manager.ts` - Implements `disableSparseCheckout()` and exposes new minimum version constant for sparse checkout - `git-source-provider.ts` - Calls new `disableSparseCheckout()` when appropriate - `git-source-settings.ts` - Defines new `sshUser` setting - `input-helper.ts` - Reads new `ssh-user` input - `url-helper.ts` - Uses configured `ssh-user` when building Git URL - `__test__/` - Updates tests for new behavior - `CHANGELOG.md`, `package.json` - Update version to 4.1.2Security Hotspots
url-helper.tsis now taking an arbitrary user-provided string (sshUser) and injecting it into the Git URL. This could allow specifying a malicious username. However, the risk seems low since this is used only in the context of an SSH URL with a pre-configured key. The other side would still need to accept the auth.- The
test-ubuntu-gitDockerfile should pin the versions of its base image and any packages installed to avoid supply chain risks from upstream images changing unexpectedly.
Overall this looks like a solid set of improvements. I'd recommend moving forward after considering the minor security points mentioned. Nice work!
This PR contains the following updates:
v4.1.1->v4.1.3Release Notes
actions/checkout (actions/checkout)
### [`v4.1.3`](https://togithub.com/actions/checkout/releases/tag/v4.1.3) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.2...v4.1.3) #### What's Changed - Update `actions/checkout` version in `update-main-version.yml` by [@jww3](https://togithub.com/jww3) in [https://github.com/actions/checkout/pull/1650](https://togithub.com/actions/checkout/pull/1650) - Check git version before attempting to disable `sparse-checkout` by [@jww3](https://togithub.com/jww3) in [https://github.com/actions/checkout/pull/1656](https://togithub.com/actions/checkout/pull/1656) - Add SSH user parameter by [@cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1685](https://togithub.com/actions/checkout/pull/1685) **Full Changelog**: https://github.com/actions/checkout/compare/v4.1.2...v4.1.3 ### [`v4.1.2`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v412) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.1...v4.1.2) - Fix: Disable sparse checkout whenever `sparse-checkout` option is not present [@dscho](https://togithub.com/dscho) in [https://github.com/actions/checkout/pull/1598](https://togithub.com/actions/checkout/pull/1598)Configuration
š Schedule: Branch creation - " 0-4 * 3" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.