MPV
commented
1 year ago @zgosalvez I can confirm this issue.
What would be needed to solve it?
Closed TGWolf closed 1 year ago
MPV
commented
1 year ago @zgosalvez I can confirm this issue.
What would be needed to solve it?
MPV
commented
1 year ago This is the line giving the warning: https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/blob/f32435541e24cd6a4700a7f52bb2ec59e80603b1/src/index.js#L54
Though I haven't yet understood why it's not arriving at any of the lines that print this warning/error instead:
${uses} is not pinned to a full length commit SHA.
Any ideas how we resolve this?
MPV
commented
1 year ago I also tried using the allowlist for this, but didn't get the following to work as a workaround either (still getting the same warnings):
- name: Ensure SHA pinned actions
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@v2
with:
allowlist: |
./
zgosalvez
commented
1 year ago Heya guys. Sorry for not being responsive. This is easily implementable, but the question is whether this is within the scope of this action, i.e., to ensure actions are SHA pinned. The allowlist only accepts bypassing versioned vendor actions, not local actions. I guess, the simplest way to bypass this restriction is to use the allowlist. I can go and implement this if both @MPV and @TGWolf are ok with this approach. LMK 🙂
TGWolf
commented
1 year ago That sounds like a valid option to me,
MPV
commented
1 year ago I also tried using the
allowlistfor this, but didn't get the following to work as a workaround either (still getting the same warnings):- name: Ensure SHA pinned actions uses: zgosalvez/github-actions-ensure-sha-pinned-actions@v2 with: allowlist: | ./
Just to clarify: would this be the thing to be supported, for solving this issue?
Feels okay to me. 👍
This is a valid action syntax:
But the action throws a warning saying there are no steps or uses