Pin actions and dependencies in release workflow#796
Conversation
cdce8p
left a comment
cdce8p
left a comment
There was a problem hiding this comment.
Thanks for the PR @sethmlarson
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
This can also be set as default for the repo / org in which case this is kind of redundant here. I don't have access to the settings, so I can't check. It should be under Actions -> General
There was a problem hiding this comment.
It's currently set to allow read & write. The only thing I can see that might require write access is actions/upload-artifact, though I'd guess that artifacts within the actions system are a separate thing and don't need write permission. I'm happy to try switching it to read only if that makes sense.
There was a problem hiding this comment.
I've set it to Read only for all my own projects and upload-artifact still seems to work fine. Based on actions/upload-artifact#197 it seems the action uses some kind of custom token with it's own permission details.
I'd just suggest to try changing it here. We should see if it works during the next workflow run.
There was a problem hiding this comment.
Thanks, that makes sense. I've set it to read-only now, and unchecked "Allow GitHub Actions to create and approve pull requests"
| run: | | ||
| python flit_core/build_dists.py | ||
| pip install requests docutils | ||
| python -m pip install -r packages-requirements.txt |
There was a problem hiding this comment.
| python -m pip install -r packages-requirements.txt | |
| python -m pip install -r .github/workflows/packages-requirements.txt |
?
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | ||
| with: | ||
| persist-credentials: false |
There was a problem hiding this comment.
What is the advantage of using persist-credentials really? The GITHUB_TOKEN is already available to all steps and is configured with read-only anyway.
| - package-ecosystem: "github-actions" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "daily" |
There was a problem hiding this comment.
I think it makes sense to adjust that as well, like you suggested.
| cooldown: | ||
| default-days: 7 | ||
| schedule: | ||
| interval: "quarterly" |
There was a problem hiding this comment.
I might step this up to monthly 🤷
| # This file is autogenerated by pip-compile with Python 3.13 | ||
| # by the following command: | ||
| # | ||
| # pip-compile --generate-hashes --output-file=.github/workflows/packages-requirements.txt --pip-args='--only-binary=:all:' --strip-extras .github/workflows/packages-requirements.in |
There was a problem hiding this comment.
Out of interest, if a new version of one of these packages has a new dependency of its own, is dependabot smart enough to add that to this file? Or even just flag that there's a new dependency that should be pinned?
3 participants
Hello! This pins both the GitHub Actions and the Python packages used during the release process. If you want we can also change the frequency of GitHub Actions updates, too. Right now it's daily, with pins maybe that will be overwhelming? Might make sense to change to less frequently.