VLN-1354: remediate unpinned-github-actions#1054
Conversation
|
@picatz does this play nice with dependabot? |
|
it's be great if this PR could go ahead and bump action versions as well. It'd resolve a good but of the dependabot PRs and reviews are a bit slow in this repo right now. |
We plan to have a SAST check, likely as a required workflow we'll apply to repos; we have a few options we're exploring, but you will see alerts happen in PRs as feedback in the future. Dependabot will not be able to revert it back to SHA.
The campaign scope aims to just pin to whatever users are using. But, if you'd like, I can bump the versions too. It just carries its own risk of not working, or causing different churn / issues than pinning to what's working. |
Bump all GitHub Actions to their latest versions, kept pinned to commit SHAs. Resolves the open Dependabot action PRs and brings the remaining actions in line: - actions/create-github-app-token v2.2.2 -> v3.1.1 (#1037) - actions/github-script v8.0.0 -> v9.0.0 (#1036) - docker/setup-buildx-action v3.10.0 -> v4.1.0 (#1035) - goreleaser/goreleaser-action v6.4.0 -> v7.2.1 (#1039) - actions/setup-go -> v6.4.0 across all workflows (#1038) - actions/checkout v4.3.1 -> v6.0.2 in ci.yaml - docker/setup-qemu-action v3.2.0 -> v4.1.0 - docker/login-action v3.5.0 -> v4.2.0
|
Using this for the commit message: |
|
Sounds good to me, thank you! 😄 |
…#1104) ## Summary Backports server-independent changes from `main` into `release/1.8.x`. Every commit here was verified to build and pass codegen against the release line's current dependency pins (`server v1.31.0`, `sdk v1.41.1`, `api v1.62.8`) — nothing pulls in the newer server/SDK/API that landed on `main` via #1017. Scope agreed as: bug fixes + CLI changes + CI/tooling. Dependency bumps (#1040, #1052, #1063) and server-version-dependent features are intentionally excluded. ## Included (22 commits, cherry-picked with `-x`) **CLI / bug fixes** - #1006 Fix help with value flags (addresses #1003 — `--help` with value flags like `--address 123` surfaced `pflag: help requested` as an error) - #1012 skip CountWorkflow in batch operations when `--yes` is set - #1016 Sort output of listing search attributes - #1029 Workflow delete now prompts for confirmation - #1033 Add persistence info to start-dev banner - #1047 Add `temporal schedule list-matching-times` command - #1056 Fix task-queue config set help: use real fairness weight flag names - #1059 Prefix dev server cluster ID with `dev-server-` - #1089 fix: tls is not added for profiles without tls - #1099 Clarify activity pause timeout behavior - #941 auto-generate deprecation warnings from YAML config **Tests** - #1005 Fix flakey test by disabling EC2 metadata lookup - #1020 Remove `time.Sleep()` in commands.taskqueue_test.go **CI / tooling** - #1015 pin alpine docker image to 3.23.4 - #1024 remediate missing-dependency-cooldown - #1034 Bump actions/upload-artifact from 4 to 7 - #1044 improve dependabot config - #1045 add PR template - #1054 pin and bump GitHub Actions to latest versions - #1057 use allow instead of ignore for dependency-type in dependabot config - #1080 Bump the github-actions group with 2 updates ## Excluded (rely on the new server/SDK version) #1017 (server bump v1.31.0 -> v1.32.0-157.0), #1046, #1087, #1001, #1091, #1084 ## Verification - `go build ./...` passes - all test packages compile - `make gen` reports no codegen drift - server/sdk/api pins unchanged from `release/1.8.x` ## CI endpoint fix (added) Also backports the API-key CI test endpoint change from #1087 (`us-east-1` -> `ca-central-1`) as a standalone CI-only commit. This resolves the `Request unauthorized` failure in the "Test cloud API key" steps on `release/1.8.x`. The rest of #1087 (Nexus Operation command code) is excluded as it depends on the new server version. --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Sai Asish Y <say.apm35@gmail.com> Co-authored-by: Kevin Woo <3469532+kevinawoo@users.noreply.github.com> Co-authored-by: Rodrigo Zhou <rodrigo.zhou@temporal.io> Co-authored-by: Stephan Behnke <stephanos@users.noreply.github.com> Co-authored-by: Jiechen Zhong <jiechen.zhong@temporal.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Kent Gruber <kent.gruber@temporal.io> Co-authored-by: picatz <14850816+picatz@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: John Votta <jpvotta@gmail.com> Co-authored-by: Nasit Sarwar Sony <nasitsony96@gmail.com> Co-authored-by: hussam-salah <156124396+hussam-salah@users.noreply.github.com> Co-authored-by: Sai Asish Y <say.apm35@gmail.com> Co-authored-by: Bitalizer <23104115+bitalizer@users.noreply.github.com> Co-authored-by: Sean Kane <spkane31@gmail.com> Co-authored-by: Jessica Laughlin <JLDLaughlin@users.noreply.github.com>


Finding
unpinned-github-actionstemporalio/cliSummary
.github/workflows/trigger-docs.yml: Pinnedactions/create-github-app-tokenfrom@v2to a full 40-character commit SHA with exact semver comment# v2.2.2..github/workflows/build-and-publish-docker.yml: Pinnedactions/checkout,actions/github-script,docker/setup-qemu-action,docker/setup-buildx-action, anddocker/login-actionto full 40-character commit SHAs with exact semver comments..github/workflows/release.yml: Pinnedactions/checkout,actions/setup-go, andgoreleaser/goreleaser-actionto full 40-character commit SHAs with exact semver comments..github/workflows/ci.yaml: Pinned bothactions/checkoutrefs, bothactions/setup-gorefs, andactions/upload-artifactto full 40-character commit SHAs with exact semver comments..github/workflows/govulncheck.yml: Pinnedactions/checkoutandactions/setup-goto full 40-character commit SHAs with exact semver comments; lefttemporalio/public-actions/...unchanged per exception.Instructions
/camper rebase— rebase onto the base branch/camper close— close this PR without merging/camper retry— close and retry with a new fix