Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pin Codeql actions versions #5875

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Pin Codeql actions versions #5875

wants to merge 1 commit into from

Conversation

mmorel-35
Copy link
Contributor

@mmorel-35 mmorel-35 commented Aug 22, 2024
edited
Loading

Which problem is this PR solving?

Description of the changes

  • Pin Codeql actions versions

How was this change tested?

Checklist

@mmorel-35 mmorel-35 requested a review from a team as a code owner August 22, 2024 07:43
@mmorel-35 mmorel-35 requested a review from jkowall August 22, 2024 07:43
@codecov Codecov
Copy link

codecov bot commented Aug 22, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 96.79%. Comparing base (8f2543c) to head (e138a16).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #5875   +/-   ##
=======================================
  Coverage   96.79%   96.79%           
=======================================
  Files         342      342           
  Lines       16525    16525           
=======================================
  Hits        15996    15996           
  Misses        341      341           
  Partials      188      188
Flag Coverage Δ
badger_v1 8.05% <ø> (ø)
badger_v2 1.81% <ø> (ø)
cassandra-3.x-v1 16.61% <ø> (ø)
cassandra-3.x-v2 1.74% <ø> (ø)
cassandra-4.x-v1 16.61% <ø> (ø)
cassandra-4.x-v2 1.74% <ø> (ø)
elasticsearch-6.x-v1 18.77% <ø> (-0.02%) ⬇️
elasticsearch-7.x-v1 18.84% <ø> (+0.01%) ⬆️
elasticsearch-8.x-v1 19.03% <ø> (+0.01%) ⬆️
elasticsearch-8.x-v2 1.80% <ø> (ø)
grpc_v1 9.52% <ø> (ø)
grpc_v2 7.14% <ø> (ø)
kafka-v1 9.74% <ø> (ø)
kafka-v2 1.81% <ø> (ø)
memory_v2 1.81% <ø> (ø)
opensearch-1.x-v1 ?
opensearch-2.x-v1 18.88% <ø> (-0.02%) ⬇️
opensearch-2.x-v2 1.81% <ø> (ø)
unittests 95.27% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@yurishkuro yurishkuro added the changelog:ci Change related to continuous integration / testing label Aug 22, 2024
@yurishkuro
Copy link
Member

Why do we need this? It does not improve security of repeatable builds, and only creates maintenance overhead.

@mmorel-35
Copy link
Contributor Author

mmorel-35 commented Aug 22, 2024
edited
Loading

That's https://securityscorecards.dev/viewer/?uri=github.com/jaegertracing/jaeger

See pinned dependencies.

You can learn more on the official documentation with
https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies

@yurishkuro
Copy link
Member

Yes, I am familiar with this the scorecard's mistaken opinion on the subject. There are deps that affect the build of the artifacts, and those should be pinned. But there are workflows (like linters) which do not produce artifacts and can actually benefit from using "latest" deps.

@mmorel-35
Pin Codeql actions versions
9f412ef 
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkowall jkowall Awaiting requested review from jkowall jkowall is a code owner automatically assigned from jaegertracing/jaeger-maintainers

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
changelog:ci Change related to continuous integration / testing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mmorel-35 @yurishkuro