Skip to content

Update all actions we use in our workflows to pull from specific pinned commits#128

Merged
vikrampm1 merged 3 commits intodevelopfrom
update/pin-workflow-actions
Apr 7, 2025
Merged

Update all actions we use in our workflows to pull from specific pinned commits#128
vikrampm1 merged 3 commits intodevelopfrom
update/pin-workflow-actions

Conversation

@dkotter
Copy link
Copy Markdown
Collaborator

@dkotter dkotter commented Mar 18, 2025

Description of the Change

In order to help protect against compromised actions, instead of including actions based on their major version (like v4), this PR switches all the actions we use to pull based on the commit hash from the latest release.

While this does impact maintenance a bit going forward, it ensures that we we're always using actions that we (hopefully) trust and if an action gets compromised (which happens) we don't have to worry that we're using a compromised action. This also goes along with what GitHub suggests.

How to test the Change

Ensure all our workflows still run as expected

Changelog Entry

Developer - Update all third-party actions our workflows rely on to use versions based on specific commit hashes.

Credits

Props @dkotter, @jeffpaul

Checklist:

@dkotter dkotter added this to the 1.7.0 milestone Mar 18, 2025
@dkotter dkotter self-assigned this Mar 18, 2025
@dkotter dkotter requested a review from iamdharmesh March 18, 2025 20:20
@github-actions github-actions bot added the needs:code-review This requires code review. label Mar 18, 2025
iamdharmesh
iamdharmesh approved these changes Mar 19, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@iamdharmesh iamdharmesh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR changes look good and all actions are passing, except for the following:

  • Dependency Review: I'm not entirely sure about this, but it appears to be due to the "MIT License identified as invalid" issue.
  • E2E Cypress Tests / WP trunk: These tests are failing because of an insertBlock command issue with WP 6.8 in the Cypress utils library version 0.4.

@dkotter
Copy link
Copy Markdown
Collaborator Author

dkotter commented Mar 19, 2025

Dependency Review: I'm not entirely sure about this, but it appears to be due to the "actions/dependency-review-action#907" issue.

Yes, that does seem like the issue. We've encountered this across multiple plugins now. I've downgraded to an older version and that seems to work for now.

E2E Cypress Tests / WP trunk: These tests are failing because of an insertBlock command issue with WP 6.8 in the Cypress utils library version 0.4.

Update to the latest 0.5.0 release and tests are passing now

@vikrampm1 vikrampm1 merged commit b6b4089 into develop Apr 7, 2025
9 checks passed
@vikrampm1 vikrampm1 mentioned this pull request Apr 7, 2025
Closed
29 tasks
@dkotter dkotter deleted the update/pin-workflow-actions branch May 8, 2025 20:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeffpaul jeffpaul jeffpaul approved these changes

@iamdharmesh iamdharmesh iamdharmesh approved these changes

Assignees

@dkotter dkotter

Labels

needs:code-review This requires code review.

Projects

None yet

Milestone

1.7.0

Development

Successfully merging this pull request may close these issues.

4 participants

@dkotter @jeffpaul @iamdharmesh @vikrampm1