-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pin Codeql actions versions #5875
base: main
Are you sure you want to change the base?
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #5875 +/- ##
=======================================
Coverage 96.79% 96.79%
=======================================
Files 342 342
Lines 16525 16525
=======================================
Hits 15996 15996
Misses 341 341
Partials 188 188
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Why do we need this? It does not improve security of repeatable builds, and only creates maintenance overhead. |
That's https://securityscorecards.dev/viewer/?uri=github.com/jaegertracing/jaeger See pinned dependencies. You can learn more on the official documentation with |
Yes, I am familiar with this the scorecard's mistaken opinion on the subject. There are deps that affect the build of the artifacts, and those should be pinned. But there are workflows (like linters) which do not produce artifacts and can actually benefit from using "latest" deps. |
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
Which problem is this PR solving?
Description of the changes
How was this change tested?
Checklist
jaeger
:make lint test
jaeger-ui
:yarn lint
andyarn test