update github workflows to use latest version of checkout and setup-python

mandiant / capa

The FLARE team's open-source tool to identify capabilities in executable files.

Apache License 2.0

4.01k stars 505 forks source link

update github workflows to use latest version of checkout and setup-python #2000

Closed sjha2048 closed 5 months ago

sjha2048 commented 5 months ago

Checklist

closes #1967

[ ] No CHANGELOG update needed
[x] No new tests needed
[x] No documentation update needed

sjha2048 commented 5 months ago

hi @mr-tz, any particular reason for using commit hashes instead of version numbers?

could you also update the setup-python action

sure.

mr-tz commented 5 months ago

Thanks, see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

sjha2048 commented 5 months ago

TIL! Thanks, will update shortly.

mr-tz commented 5 months ago

Thanks, there's still a few to fix in the build and CI workflows. Let me know if you want to fix them as well or if we should track them separately.

sjha2048 commented 5 months ago

works for me either way, can you help me in listing them? I'll also go though the logs, if there are too many changes then I'll raise separate PRs

mr-tz commented 5 months ago

Screenshot 2024-02-22 9 58 00 PM Screenshot 2024-02-22 9 57 51 PM

sjha2048 commented 5 months ago

@mr-tz I have updated these actions.