Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pin third party actions with SHA #46

Merged
merged 2 commits into from
Sep 19, 2022
Merged

Pin third party actions with SHA #46

merged 2 commits into from
Sep 19, 2022

Conversation

ericpre
Copy link
Member

@ericpre ericpre commented Sep 19, 2022
edited
Loading

Following up on hyperspy/hyperspy#2727, try to pin third party actions with sha. As per https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates, I have setup dependabot.yml to get PR to update the github actions automatically - see for example #43.
The idea, is that in case of third party actions (as in not from github), we should review the change in the code of the actions to check that there is no malicious code and use the SHA to make sure the code associated with the tag doesn't change.

Progress of the PR

  • Try to pin with SHA in case of third party action,
  • [n/a] update docstring (if appropriate),
  • [n/a] update user guide (if appropriate),
  • add a link to the hyperspy developer guide, which will have a maintainance section on this topic after Pin third party GitHub actions hyperspy#3027 is merged
  • [n/a] add an changelog entry in the upcoming_changes folder (see upcoming_changes/README.rst),
  • Check formatting changelog entry in the readthedocs doc build of this PR (link in github checks)
  • [n/a] add tests,
  • ready for review.

@codecov
Copy link

codecov bot commented Sep 19, 2022
edited
Loading

Codecov Report

Base: 82.90% // Head: 82.90% // No change to project coverage 👍

Coverage data is based on head (19144ee) compared to base (27d3bed).
Patch has no changes to coverable lines.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main      #46   +/-   ##
=======================================
  Coverage   82.90%   82.90%           
=======================================
  Files          40       40           
  Lines        8041     8041           
  Branches     1860     1860           
=======================================
  Hits         6666     6666           
  Misses        911      911           
  Partials      464      464

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@ericpre
Copy link
Member Author

ericpre commented Sep 19, 2022

The list of github actions used in this repository are summarised in https://github.com/hyperspy/rosettasciio/network/dependencies

@ericpre
Copy link
Member Author

ericpre commented Sep 19, 2022

Block by LumiSpy/lumispy#100 (comment)

@jlaehne
Copy link
Contributor

jlaehne commented Sep 19, 2022

Block by LumiSpy/lumispy#100 (comment)

done

@ericpre ericpre added this to the v0.1.0 initial release milestone Sep 19, 2022
@jlaehne jlaehne merged commit e852a08 into hyperspy:main Sep 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jlaehne jlaehne jlaehne approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.1.0 initial release
Development

Successfully merging this pull request may close these issues.
2 participants
@ericpre @jlaehne