Skip to content

chore: update tj actions #3063

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

chore: update tj actions #3063

wants to merge 1 commit into from

Conversation

blva
Copy link
Collaborator

@blva blva commented Jun 28, 2024
edited
Loading

Proposed changes

Trying to update this to resolve https://github.com/mongodb/mongodb-atlas-cli/security/dependabot

Checklist

  • I have signed the MongoDB CLA
  • I have added tests that prove my fix is effective or that my feature works
  • I have added any necessary documentation in document requirements section listed in CONTRIBUTING.md (if appropriate)
  • I have addressed the @mongodb/docs-cloud-team comments (if appropriate)
  • I have updated test/README.md (if an e2e test has been added)
  • I have run make fmt and formatted my code

Further comments

@blva blva marked this pull request as ready for review June 28, 2024 13:11
@blva blva requested a review from a team June 28, 2024 13:11
@blva
Copy link
Collaborator Author

blva commented Jun 28, 2024

@gssbzn do you know if there is any blocker to update this?

gssbzn
gssbzn reviewed Jun 28, 2024
View reviewed changes
.github/workflows/autoupdate-sdk.yaml
@@ -20,7 +20,7 @@ jobs:
run: echo "VERSION=$(curl -sSfL -X GET https://api.github.com/repos/mongodb/atlas-sdk-go/releases/latest | jq -r '.tag_name')" >> "$GITHUB_OUTPUT"
- run: make update-atlas-sdk
- name: Verify Changed files
uses: tj-actions/verify-changed-files@11ea2b36f98609331b8dc9c5ad9071ee317c6d28
uses: tj-actions/verify-changed-files@v20
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you please use the sha? or you can leave it until tuesday and dependabot will create a PR

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can I merge like this so snyk understand we're using a version > 17?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also, can we keep a pinned version?

dependabot complains:

Dependabot can't update vulnerable dependencies without a pinned version
The currently installed version can't be determined.

To resolve the issue pin the version to a specific release in your manifest file.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there's a request from security to keep 3rd party Gh actions (not mantained by GH) using shas instead of pinned version

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, i'll close this then! as it would come up again after we fix the issue.

@blva blva requested a review from gssbzn June 28, 2024 13:49
@blva blva closed this Jun 28, 2024
@gssbzn gssbzn mentioned this pull request Jul 4, 2024
Closed
@gssbzn gssbzn deleted the security branch August 6, 2024 10:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gssbzn gssbzn Awaiting requested review from gssbzn

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@blva @gssbzn