cmichi
commented
7 months ago Do you think this is a sensible policy? The pinning was done nearly 1.5 years ago and I'm not sure if it still makes sense.
Closed smiasojed closed 7 months ago
cmichi
commented
7 months ago Do you think this is a sensible policy? The pinning was done nearly 1.5 years ago and I'm not sure if it still makes sense.
alvicsam
commented
7 months ago It still makes sense because the threat is the same as it was 1,5 years ago. Dependabot can update actions versions even if they are pinned with sha.
github-actions[bot]
commented
7 months ago These are the results when building the integration-tests/* contracts from this branch with cargo-contract and comparing them to ink! master:
| Contract | Upstream Size (kB) | PR Size (kB) | Diff (kB) | Diff (%) | Change |
|---|---|---|---|---|---|
| call-builder-return-value | 9.237 | 9.237 | 0 | 0 | :heavy_minus_sign: |
| call-runtime | 2.061 | 2.061 | 0 | 0 | :heavy_minus_sign: |
| combined-extension | 2.137 | 2.12 | -0.017 | -0.795508 | :chart_with_downwards_trend: |
| conditional-compilation | 1.49 | 1.49 | 0 | 0 | :heavy_minus_sign: |
| contract-storage | 7.568 | 7.568 | 0 | 0 | :heavy_minus_sign: |
| contract-terminate | 1.329 | 1.329 | 0 | 0 | :heavy_minus_sign: |
| contract-transfer | 1.689 | 1.689 | 0 | 0 | :heavy_minus_sign: |
| cross-contract-calls | 5.835 | 5.835 | 0 | 0 | :heavy_minus_sign: |
| cross-contract-calls/other-contract | 1.583 | 1.583 | 0 | 0 | :heavy_minus_sign: |
| custom-allocator | 7.775 | 7.775 | 0 | 0 | :heavy_minus_sign: |
| custom-environment | 2.146 | 2.146 | 0 | 0 | :heavy_minus_sign: |
| dns | 7.318 | 7.318 | 0 | 0 | :heavy_minus_sign: |
| e2e-call-runtime | 1.296 | 1.296 | 0 | 0 | :heavy_minus_sign: |
| e2e-runtime-only-backend | 1.881 | 1.881 | 0 | 0 | :heavy_minus_sign: |
| erc1155 | 14.308 | 14.308 | 0 | 0 | :heavy_minus_sign: |
| erc20 | 6.918 | 6.918 | 0 | 0 | :heavy_minus_sign: |
| erc721 | 10.007 | 10.007 | 0 | 0 | :heavy_minus_sign: |
| events | 5.258 | 5.258 | 0 | 0 | :heavy_minus_sign: |
| flipper | 1.639 | 1.639 | 0 | 0 | :heavy_minus_sign: |
| incrementer | 1.504 | 1.504 | 0 | 0 | :heavy_minus_sign: |
| lang-err-integration-tests/call-builder-delegate | 2.638 | 2.638 | 0 | 0 | :heavy_minus_sign: |
| lang-err-integration-tests/call-builder | 5.354 | 5.354 | 0 | 0 | :heavy_minus_sign: |
| lang-err-integration-tests/constructors-return-value | 1.985 | 1.985 | 0 | 0 | :heavy_minus_sign: |
| lang-err-integration-tests/contract-ref | 4.753 | 4.753 | 0 | 0 | :heavy_minus_sign: |
| lang-err-integration-tests/integration-flipper | 1.815 | 1.815 | 0 | 0 | :heavy_minus_sign: |
| lazyvec-integration-test | 4.616 | 4.616 | 0 | 0 | :heavy_minus_sign: |
| mapping-integration-tests | 7.999 | 7.999 | 0 | 0 | :heavy_minus_sign: |
| mother | 12.741 | 12.741 | 0 | 0 | :heavy_minus_sign: |
| multi-contract-caller | 6.313 | 6.313 | 0 | 0 | :heavy_minus_sign: |
| multi-contract-caller/accumulator | 1.378 | 1.378 | 0 | 0 | :heavy_minus_sign: |
| multi-contract-caller/adder | 1.912 | 1.912 | 0 | 0 | :heavy_minus_sign: |
| multi-contract-caller/subber | 1.932 | 1.932 | 0 | 0 | :heavy_minus_sign: |
| multisig | 21.821 | 21.821 | 0 | 0 | :heavy_minus_sign: |
| payment-channel | 5.659 | 5.659 | 0 | 0 | :heavy_minus_sign: |
| psp22-extension | 7.071 | 7.071 | 0 | 0 | :heavy_minus_sign: |
| rand-extension | 2.965 | 2.965 | 0 | 0 | :heavy_minus_sign: |
| sr25519-verification | 1.142 | 1.142 | 0 | 0 | :heavy_minus_sign: |
| static-buffer | 2.536 | 2.536 | 0 | 0 | :heavy_minus_sign: |
| trait-dyn-cross-contract-calls | 2.887 | 2.887 | 0 | 0 | :heavy_minus_sign: |
| trait-dyn-cross-contract-calls/contracts/incrementer | 1.545 | 1.545 | 0 | 0 | :heavy_minus_sign: |
| trait-erc20 | 7.294 | 7.294 | 0 | 0 | :heavy_minus_sign: |
| trait-flipper | 1.49 | 1.49 | 0 | 0 | :heavy_minus_sign: |
| trait-incrementer | 1.614 | 1.614 | 0 | 0 | :heavy_minus_sign: |
| upgradeable-contracts/delegator | 3.928 | 3.928 | 0 | 0 | :heavy_minus_sign: |
| upgradeable-contracts/delegator/delegatee | 1.609 | 1.609 | 0 | 0 | :heavy_minus_sign: |
| upgradeable-contracts/delegator/delegatee2 | 1.609 | 1.609 | 0 | 0 | :heavy_minus_sign: |
| upgradeable-contracts/set-code-hash-migration | 1.743 | 1.743 | 0 | 0 | :heavy_minus_sign: |
| upgradeable-contracts/set-code-hash-migration/migration | 1.45 | 1.45 | 0 | 0 | :heavy_minus_sign: |
| upgradeable-contracts/set-code-hash-migration/updated-incrementer | 1.897 | 1.897 | 0 | 0 | :heavy_minus_sign: |
| upgradeable-contracts/set-code-hash | 1.743 | 1.743 | 0 | 0 | :heavy_minus_sign: |
| upgradeable-contracts/set-code-hash/updated-incrementer | 1.721 | 1.721 | 0 | 0 | :heavy_minus_sign: |
| wildcard-selector | 2.846 | 2.846 | 0 | 0 | :heavy_minus_sign: |
Link to the run | Last update: Tue Feb 27 12:11:14 CET 2024
smiasojed
commented
7 months ago Do you think this is a sensible policy? The pinning was done nearly 1.5 years ago and I'm not sure if it still makes sense.
@cmichi It makes sense if someone will review an action before updating it. However, if we're just updating the action to the newest SHA without reviewing it first, it doesn't.
Summary
Closes #_
cargo-contractorpallet-contracts?Align to CI security policy
Description
Align to CI security policy https://github.com/paritytech/ink/pull/1359
Checklist before requesting a review
CHANGELOG.md