Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #91 +/- ##
=======================================
Coverage 94.57% 94.57%
=======================================
Files 6 6
Lines 369 369
=======================================
Hits 349 349
Misses 20 20 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
zimeg
left a comment
zimeg
left a comment
There was a problem hiding this comment.
📝 Leaving one comment on updated permissions of the publish workflow for the wonderful reviewers!
Next release of this action, let's keep an eye on this 👁️🗨️
| permissions: | ||
| contents: write |
There was a problem hiding this comment.
These permissions are noted in JasonEtco/build-and-tag-action#45 and match a similar workflow that's found in slackapi/slack-github-action
hello-ashleyintech
left a comment
hello-ashleyintech
left a comment
There was a problem hiding this comment.
LGTM and the PR is well written and documented for this change! Thank you 🙇
WilliamBergamin
left a comment
WilliamBergamin
left a comment
There was a problem hiding this comment.
All for the minimum permission 💯
This might be a hot take but I don't think we need to pin the hashes, I think the readability of the raw version outweighs the benefits of pinning hashes and leaving comments for the actual version, I'm concerned about how dependabot handles updating these dependencies 
Could you explain what are the security improvements gained by using the hash rather then referencing the version and share any documented cases of critical vulnerability in this area 🙏
It may also be worth considering what is at risk here, as far as I know these Github Actions don't have access to our package release keys, I don't think we should be building a "complex security vault" if we are leaving it empty
|
@hello-ashleyintech @WilliamBergamin Once more, I appreciate the fast reviews so much 🙏 ✨ @WilliamBergamin Following the comment of slackapi/slack-github-action#441 I'm requesting another review before merge! Please let me know if other changes are requested but I shall continue onto other projects we maintain for the meantime. |
|
@hello-ashleyintech @WilliamBergamin I appreciate the reviews too on this PR. I am going to merge this and similar PRs now 🫡 |
3 participants
Summary
This PR uses the wonderful
zizmortool to audit our own workflows andpinactfor pinned versioning 👾While not so simple to bump ourselves, the kind @dependabot can help keep these hashes updated 🤖 ✨
Reviewers
A similar audit can be performed with the
zizmortool:Notes
Similar changes exist in slackapi/slack-github-action#441 but comments on unexpected changes follow!
Requirements