newrelic / newrelic-java-agent

The New Relic Java agent
Apache License 2.0
202 stars 143 forks source link

Pin workflow actions to commit SHA rather than tag #1894

Closed jtduffy closed 5 months ago

jtduffy commented 5 months ago

Overview

Pinning Actions to Commit SHAs Instead of Tags

For security reasons, actions in github workflows should be pinned by a commit SHA rather than a tag. A node based tool exists to automate this: pin-github-action.

This tool can be run locally whenever a uses action is added or change in a workflow file. Instructions exist in the tool's README that explain installation and execution.

Updated uses keys will have a comment at the end specifying what version they we're previously pinned at. For example:

uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # pin@v4
codecov-commenter commented 5 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 70.65%. Comparing base (1b74085) to head (befb70d). Report is 5 commits behind head on main.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #1894 +/- ## ============================================ - Coverage 70.69% 70.65% -0.05% + Complexity 9881 9857 -24 ============================================ Files 828 826 -2 Lines 39850 39804 -46 Branches 6065 6062 -3 ============================================ - Hits 28173 28124 -49 - Misses 8950 8953 +3 Partials 2727 2727 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.