Closed chrisjohnson00 closed 1 year ago
Psychobobb
commented
2 years ago I second this.
Without a fixed tag, we're essentially on bleeding edge (head of master branch). Not a great thing to run in production for reasons that @chrisjohnson00 mentions.
Would be great if a new release/git tag could be added as v0.2.0 was about 15x commits ago and new features (like the command init) have been added since.
Psychobobb
commented
2 years ago I can see a new commit was made today bringing in packer 1.8.2 (8a84ef)
Still no release/git tag to pin our usage to a specific point in the history.
It's less ideal, but for now we are going to tag to the SHAs as a crutch
i.e. hashicorp/packer-github-actions@da1fc3d139662b469e56a9e40e1652502b8a84ef
Not sure if that would help your situation also @chrisjohnson00
tagging @ksatirli @sylviamoss @lomar92 as y'all seem to be the maintainers of the repo 😉
ksatirli
commented
2 years ago Hey folks - we're currently in the process of rewriting the underlying code for this action and hope to have a new release available soon.
The new action will replace this action and provide access to all published Packer versions, making it easier for you to select whichever version you need.
If you'd be interested in testing this, please tag me so I can provide you with early access.
austinorth
commented
2 years ago @ksatirli 🤚🏻 definitely interested!
jacobnosal
commented
2 years ago @ksatirli interested as well!
spencer-cdw
commented
2 years ago @ksatirli 🤚 Interested in testing
ksatirli
commented
2 years ago Thank you @austinorth, @jacobnosal, and @spencer-cdw - I've marked the three of you down.
For you and others, I wanted to provide an update here:
We're working on the rebuilt version of this action and have completed the part that allows you to select any Packer version. Next up is adding support for nightly releases.
Thank you for your patience while we add some more documentation and make this joyful for all (of us)
chrisjohnson00
commented
1 year ago I can see a new commit was made today bringing in packer 1.8.2 (8a84ef)
Still no release/git tag to pin our usage to a specific point in the history.
It's less ideal, but for now we are going to tag to the SHAs as a crutch i.e.
hashicorp/packer-github-actions@da1fc3d139662b469e56a9e40e1652502b8a84efNot sure if that would help your situation also @chrisjohnson00
tagging @ksatirli @sylviamoss @lomar92 as y'all seem to be the maintainers of the repo wink
Yes, we use SHAs even for tagged releases. We've had security issues even with tags on public repos. There was a case where a public action repo was hacked, and the tag was replaced with a new commit that contained the hack/security issue. So using the commit SHA solves it for both branches being "static" (to some degree assuming the branches history doesn't change), as well as ensuring the tag is the code we expect. Depdendabot supports tag -> sha -> tag resolution as well, so it doesn't break using it to keep your actions updated.
JenGoldstrich
commented
1 year ago Just a heads up folks, @ksatirli and I are going to release a new version of this action renamed to setup-packer under the main branch of this repository, the older version will still be usable in the master branch, our apologies for the security flags, the new action will allow users to use the latest version of packer always without us having to update the action which will mitigate this in the future
I work at a company and would like to use this action, but we have a rule that we don't point to branches of workflows. The idea being that we test things before they change, and branches can move on without any notice/testing.
https://github.com/hashicorp/packer-github-actions/compare/v0.2.0...master
There's a number of new features since the last release that would be nice to get a new release for.