Skip to content

ci: pin third party actions#270552

Merged
Mic92 merged 1 commit intoNixOS:masterfrom
l0b0:pin-actions
Nov 29, 2023
Merged

ci: pin third party actions#270552
Mic92 merged 1 commit intoNixOS:masterfrom
l0b0:pin-actions

Conversation

@l0b0
Copy link
Copy Markdown
Contributor

@l0b0 l0b0 commented Nov 28, 2023
edited
Loading

Description of changes

Improves reproducibility of CI tasks, especially since actions often move their tags, resulting in foo@vN being equivalent to foo@vN.*.*. This is not rare - as you can see from the PR, most of the pinned actions have been moved. For example, actions/checkout@v4 has been moved to v4.1.1.

Dependabot knows how to update pinned dependencies and their comments, so there should be no overhead from this change.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Priorities

Add a 👍 reaction to pull requests you find important.

@l0b0 l0b0 marked this pull request as ready for review November 28, 2023 03:36
@l0b0 l0b0 requested review from a team, Mic92, infinisil and zowoq as code owners November 28, 2023 03:36
@github-actions github-actions bot added the 6.topic: policy discussion Discuss policies to work in and around Nixpkgs label Nov 28, 2023
@zowoq
Copy link
Copy Markdown
Contributor

zowoq commented Nov 28, 2023

Previous PR: #140301

Mic92
Mic92 approved these changes Nov 28, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@Mic92 Mic92 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess we could try this out. Hopefully not too many commits go in the checkout action etc.

@delroth delroth added the 12.approvals: 1 This PR was reviewed and approved by one person. label Nov 28, 2023
@zowoq
Copy link
Copy Markdown
Contributor

zowoq commented Nov 28, 2023

If we're going to merge this we may as well pin all of the actions so the dependabot updates are consistent.

@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux. labels Nov 28, 2023
@l0b0
Copy link
Copy Markdown
Contributor Author

l0b0 commented Nov 28, 2023
edited
Loading

If we're going to merge this we may as well pin all of the actions so the dependabot updates are consistent.

@zowoq Whoops, turns out npx pin-github-action --comment=' {ref}' .github/workflows/*.y*ml failed, but for file in .github/workflows/*.y*ml; do npx pin-github-action --comment=' {ref}' "$file" || echo "$file"; done seems to have processed all of them.

I've manually bumped the version tags to the latest tag with that commit ID. The build won't change (actions/checkout@v4 had already been moved to actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11, which has also been tagged with v4.1.1). By doing this, Dependabot will update the comment to reflect the patch-level tag, rather than keeping the tag the same when it moves. That is, given actions/checkout@ff… # v4, Dependabot would update only the hash, not giving any indication whether it was a patch or minor change. But given actions/checkout@ff… # v4.1.1, Dependabot will update the major, minor, or patch version appropriately.

@l0b0 l0b0 force-pushed the pin-actions branch 3 times, most recently from dc836d2 to 77d5afc Compare November 28, 2023 20:00
@l0b0
ci: pin third party actions
acb9527 
For reproducibility.

Command:

```shell
for file in .github/workflows/*.y*ml; do
    npx pin-github-action --comment=' {ref}' "$file"
done
```

Then had to manually replace all the versions with accurate specifiers
(for example, "v4" → "v4.1.1" in case of `actions/checkout`).
@delroth delroth removed the 12.approvals: 1 This PR was reviewed and approved by one person. label Nov 28, 2023
@Mic92 Mic92 merged commit 4177297 into NixOS:master Nov 29, 2023
@Mic92
Copy link
Copy Markdown
Member

Mic92 commented Nov 29, 2023

Ok. Let's try this out.

@l0b0 l0b0 deleted the pin-actions branch November 29, 2023 19:55
@infinisil infinisil mentioned this pull request Nov 17, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mic92 Mic92 Mic92 approved these changes

@infinisil infinisil Awaiting requested review from infinisil

@zowoq zowoq Awaiting requested review from zowoq

Assignees

No one assigned

Labels

6.topic: policy discussion Discuss policies to work in and around Nixpkgs 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@l0b0 @zowoq @Mic92 @delroth