Closed smiasojed closed 7 months ago
Do you think this is a sensible policy? The pinning was done nearly 1.5 years ago and I'm not sure if it still makes sense.
It still makes sense because the threat is the same as it was 1,5 years ago. Dependabot can update actions versions even if they are pinned with sha.
These are the results when building the integration-tests/*
contracts from this branch with cargo-contract
and comparing them to ink! master
:
Contract | Upstream Size (kB) | PR Size (kB) | Diff (kB) | Diff (%) | Change |
---|---|---|---|---|---|
call-builder-return-value | 9.237 | 9.237 | 0 | 0 | :heavy_minus_sign: |
call-runtime | 2.061 | 2.061 | 0 | 0 | :heavy_minus_sign: |
combined-extension | 2.137 | 2.12 | -0.017 | -0.795508 | :chart_with_downwards_trend: |
conditional-compilation | 1.49 | 1.49 | 0 | 0 | :heavy_minus_sign: |
contract-storage | 7.568 | 7.568 | 0 | 0 | :heavy_minus_sign: |
contract-terminate | 1.329 | 1.329 | 0 | 0 | :heavy_minus_sign: |
contract-transfer | 1.689 | 1.689 | 0 | 0 | :heavy_minus_sign: |
cross-contract-calls | 5.835 | 5.835 | 0 | 0 | :heavy_minus_sign: |
cross-contract-calls/other-contract | 1.583 | 1.583 | 0 | 0 | :heavy_minus_sign: |
custom-allocator | 7.775 | 7.775 | 0 | 0 | :heavy_minus_sign: |
custom-environment | 2.146 | 2.146 | 0 | 0 | :heavy_minus_sign: |
dns | 7.318 | 7.318 | 0 | 0 | :heavy_minus_sign: |
e2e-call-runtime | 1.296 | 1.296 | 0 | 0 | :heavy_minus_sign: |
e2e-runtime-only-backend | 1.881 | 1.881 | 0 | 0 | :heavy_minus_sign: |
erc1155 | 14.308 | 14.308 | 0 | 0 | :heavy_minus_sign: |
erc20 | 6.918 | 6.918 | 0 | 0 | :heavy_minus_sign: |
erc721 | 10.007 | 10.007 | 0 | 0 | :heavy_minus_sign: |
events | 5.258 | 5.258 | 0 | 0 | :heavy_minus_sign: |
flipper | 1.639 | 1.639 | 0 | 0 | :heavy_minus_sign: |
incrementer | 1.504 | 1.504 | 0 | 0 | :heavy_minus_sign: |
lang-err-integration-tests/call-builder-delegate | 2.638 | 2.638 | 0 | 0 | :heavy_minus_sign: |
lang-err-integration-tests/call-builder | 5.354 | 5.354 | 0 | 0 | :heavy_minus_sign: |
lang-err-integration-tests/constructors-return-value | 1.985 | 1.985 | 0 | 0 | :heavy_minus_sign: |
lang-err-integration-tests/contract-ref | 4.753 | 4.753 | 0 | 0 | :heavy_minus_sign: |
lang-err-integration-tests/integration-flipper | 1.815 | 1.815 | 0 | 0 | :heavy_minus_sign: |
lazyvec-integration-test | 4.616 | 4.616 | 0 | 0 | :heavy_minus_sign: |
mapping-integration-tests | 7.999 | 7.999 | 0 | 0 | :heavy_minus_sign: |
mother | 12.741 | 12.741 | 0 | 0 | :heavy_minus_sign: |
multi-contract-caller | 6.313 | 6.313 | 0 | 0 | :heavy_minus_sign: |
multi-contract-caller/accumulator | 1.378 | 1.378 | 0 | 0 | :heavy_minus_sign: |
multi-contract-caller/adder | 1.912 | 1.912 | 0 | 0 | :heavy_minus_sign: |
multi-contract-caller/subber | 1.932 | 1.932 | 0 | 0 | :heavy_minus_sign: |
multisig | 21.821 | 21.821 | 0 | 0 | :heavy_minus_sign: |
payment-channel | 5.659 | 5.659 | 0 | 0 | :heavy_minus_sign: |
psp22-extension | 7.071 | 7.071 | 0 | 0 | :heavy_minus_sign: |
rand-extension | 2.965 | 2.965 | 0 | 0 | :heavy_minus_sign: |
sr25519-verification | 1.142 | 1.142 | 0 | 0 | :heavy_minus_sign: |
static-buffer | 2.536 | 2.536 | 0 | 0 | :heavy_minus_sign: |
trait-dyn-cross-contract-calls | 2.887 | 2.887 | 0 | 0 | :heavy_minus_sign: |
trait-dyn-cross-contract-calls/contracts/incrementer | 1.545 | 1.545 | 0 | 0 | :heavy_minus_sign: |
trait-erc20 | 7.294 | 7.294 | 0 | 0 | :heavy_minus_sign: |
trait-flipper | 1.49 | 1.49 | 0 | 0 | :heavy_minus_sign: |
trait-incrementer | 1.614 | 1.614 | 0 | 0 | :heavy_minus_sign: |
upgradeable-contracts/delegator | 3.928 | 3.928 | 0 | 0 | :heavy_minus_sign: |
upgradeable-contracts/delegator/delegatee | 1.609 | 1.609 | 0 | 0 | :heavy_minus_sign: |
upgradeable-contracts/delegator/delegatee2 | 1.609 | 1.609 | 0 | 0 | :heavy_minus_sign: |
upgradeable-contracts/set-code-hash-migration | 1.743 | 1.743 | 0 | 0 | :heavy_minus_sign: |
upgradeable-contracts/set-code-hash-migration/migration | 1.45 | 1.45 | 0 | 0 | :heavy_minus_sign: |
upgradeable-contracts/set-code-hash-migration/updated-incrementer | 1.897 | 1.897 | 0 | 0 | :heavy_minus_sign: |
upgradeable-contracts/set-code-hash | 1.743 | 1.743 | 0 | 0 | :heavy_minus_sign: |
upgradeable-contracts/set-code-hash/updated-incrementer | 1.721 | 1.721 | 0 | 0 | :heavy_minus_sign: |
wildcard-selector | 2.846 | 2.846 | 0 | 0 | :heavy_minus_sign: |
Link to the run | Last update: Tue Feb 27 12:11:14 CET 2024
Do you think this is a sensible policy? The pinning was done nearly 1.5 years ago and I'm not sure if it still makes sense.
@cmichi It makes sense if someone will review an action before updating it. However, if we're just updating the action to the newest SHA without reviewing it first, it doesn't.
Summary
Closes #_
cargo-contract
orpallet-contracts
?Align to CI security policy
Description
Align to CI security policy https://github.com/paritytech/ink/pull/1359
Checklist before requesting a review
CHANGELOG.md