Skip to content

chore: update code_health third parties action to their shas #3078

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 21 commits into from
Closed

chore: update code_health third parties action to their shas #3078

wants to merge 21 commits into from

Conversation

andreaangiolillo
Copy link
Collaborator

@andreaangiolillo andreaangiolillo commented Jul 4, 2024
edited
Loading

Proposed changes

Update the code health third parties action to their sha

@andreaangiolillo
CLOUDP-236543: Disable e2e_local_deployments
386c676
@andreaangiolillo
Merge remote-tracking branch 'origin/master'
0ee943d
@andreaangiolillo
Merge remote-tracking branch 'origin/master'
7425b6e
@andreaangiolillo
Merge remote-tracking branch 'origin/master'
11b7d6e
@andreaangiolillo
Merge remote-tracking branch 'origin/master'
06d9976
@andreaangiolillo
Merge remote-tracking branch 'origin/master'
c2984de
@andreaangiolillo
Merge remote-tracking branch 'origin/master'
806c4fd
@andreaangiolillo
Merge remote-tracking branch 'origin/master'
7af2546
@andreaangiolillo
Merge remote-tracking branch 'origin/master'
c7f03c4
@andreaangiolillo
Merge remote-tracking branch 'origin/master'
edafe8f
@andreaangiolillo
Merge remote-tracking branch 'origin/master'
e8a6a4f
@andreaangiolillo
Merge remote-tracking branch 'origin/master'
d18e168
@andreaangiolillo
Merge remote-tracking branch 'origin/master'
cb573bb
@andreaangiolillo
Merge remote-tracking branch 'origin/master'
26108bf
@andreaangiolillo
Merge remote-tracking branch 'origin/master'
0f4c66b
@andreaangiolillo
Merge remote-tracking branch 'origin/master'
21ba6fc
@andreaangiolillo
Merge remote-tracking branch 'origin/master'
2d1a227
@andreaangiolillo
Merge remote-tracking branch 'origin/master'
e8cf8e9
@andreaangiolillo
chore: add staticcheck
efc04b6
@andreaangiolillo
Update code-health.yml
89b7561
@andreaangiolillo andreaangiolillo marked this pull request as ready for review July 4, 2024 16:12
@andreaangiolillo andreaangiolillo requested a review from a team July 4, 2024 16:12
gssbzn
gssbzn requested changes Jul 4, 2024
View reviewed changes
Copy link
Collaborator

@gssbzn gssbzn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not the same binary but the same rules, does the binary matter?

@gssbzn
Copy link
Collaborator

gssbzn commented Jul 4, 2024

If you see the code they use it as a library, https://github.com/golangci/golangci-lint/blob/8f348db7bbd6366c528a369ad0b02505afd265c8/pkg/golinters/staticcheck/staticcheck.go#L4C22-L4C33 the note is just because of beef between the two projects

golangci/golangci-lint#2894

@andreaangiolillo
Copy link
Collaborator Author

ah okay, I was tricked by It's not the same thing as the staticcheck binary.. I will reuse this PR to update the action to ping third parties to sha then

@andreaangiolillo andreaangiolillo changed the title chore: add static check to code health chore: update code_health third parties action to their shas Jul 4, 2024
@andreaangiolillo andreaangiolillo requested a review from gssbzn July 4, 2024 16:30
gssbzn
gssbzn reviewed Jul 4, 2024
View reviewed changes
.github/workflows/code-health.yml
with:
config: ${{ vars.PERMISSIONS_CONFIG }}
- uses: actions/checkout@v4
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my understanding was that actions supported by GH could remain on numbers and not shas, has this changed?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

using shas is actually really bad for security scanning tools as you may be able to see from #3063

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was unaware of this, could you share where it was decided?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no problem if you don't find it. It makes sense that GH actions can be trusted

@andreaangiolillo andreaangiolillo deleted the chore_add_static_check_to_gh_action branch July 4, 2024 16:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gssbzn gssbzn gssbzn requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@andreaangiolillo @gssbzn