Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update actions/checkout action to v4.1.6 #51

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update actions/checkout action to v4.1.6 #51

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 17, 2023
edited

Mend Renovate

This PR contains the following updates:

Package Type Update Change
actions/checkout action patch v4.1.0 -> v4.1.6

Release Notes

actions/checkout (actions/checkout)

v4.1.6

Compare Source

v4.1.5

Compare Source

What's Changed

Full Changelog: actions/checkout@v4.1.4...v4.1.5

v4.1.4

Compare Source

v4.1.3

Compare Source

What's Changed

Full Changelog: actions/checkout@v4.1.2...v4.1.3

v4.1.2

Compare Source

v4.1.1

Compare Source

What's Changed
New Contributors

Full Changelog: actions/checkout@v4.1.0...v4.1.1

Configuration

📅 Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from ShivanKaul as a code owner October 17, 2023 17:27
@renovate renovate bot force-pushed the renovate/actions-checkout-4.x branch from 23ecf05 to 691698f Compare March 4, 2024 12:44
@renovate renovate bot force-pushed the renovate/actions-checkout-4.x branch from 691698f to fefe643 Compare March 22, 2024 20:43
@github-actions GitHub Actions
Copy link

[puLL-Merge] - actions/checkout@v4.1.0..v4.1.1

logError The patch is trivial, no need for a summarization

@renovate renovate bot force-pushed the renovate/actions-checkout-4.x branch from fefe643 to 98fc2ea Compare April 22, 2024 14:31
@renovate renovate bot changed the title Update actions/checkout action to v4.1.1 Update actions/checkout action to v4.1.2 Apr 22, 2024
@renovate renovate bot force-pushed the renovate/actions-checkout-4.x branch from 98fc2ea to c249526 Compare April 22, 2024 21:00
@renovate renovate bot changed the title Update actions/checkout action to v4.1.2 Update actions/checkout action to v4.1.3 Apr 22, 2024
@github-actions GitHub Actions
Copy link

[puLL-Merge] - actions/checkout@v4.1.0..v4.1.3

Description

This PR makes several changes to the actions/checkout codebase:

  • Adds support for disabling sparse-checkout if the sparse-checkout input is not set
  • Introduces a new test-ubuntu-git container image for testing actions/checkout in CI/CD workflows
  • Updates minimum required Git version for sparse-checkout from 2.25 to 2.28
  • Allows configuring the SSH user when using SSH authentication
  • Bumps the version to 4.1.3

The main motivation seems to be improving the behavior and testing of the sparse-checkout functionality.

Changes

Changes

  • .github/workflows/test.yml: Adds a new test case for disabling sparse-checkout, updates test container image to test-ubuntu-git
  • .github/workflows/update-main-version.yml: Pins actions/checkout version used in the workflow to v4.1.1
  • .github/workflows/update-test-ubuntu-git.yml: New workflow to build and optionally publish the test-ubuntu-git container image
  • CHANGELOG.md: Adds entries for v4.1.1 and v4.1.2 releases
  • CODEOWNERS: Updates code owner team name
  • README.md: Minor documentation updates
  • __test__/: Updates unit tests
  • action.yml: Adds new ssh-user input
  • dist/index.js: Compiled JavaScript code, reflects code changes
  • images/: Adds Dockerfile and documentation for new test-ubuntu-git container image
  • package.json: Bumps version to 4.1.3
  • src/: TypeScript source code changes:
    • git-command-manager.ts:
      • Adds disableSparseCheckout() function
      • Updates minimum Git version for sparse-checkout to 2.28
      • Adds version() function to expose Git version
    • git-source-provider.ts: Disables sparse-checkout if not configured
    • git-source-settings.ts, input-helper.ts: Adds sshUser setting
    • url-helper.ts: Uses configured sshUser for SSH authentication

Security Hotspots

  1. Using the test-ubuntu-git container image in CI/CD workflows could be a risk if the image is not properly secured and updated. Ensure the image is built from trusted sources and scanned for vulnerabilities.

  2. The ssh-user input allows specifying the SSH user. Validate this input to prevent command injection or using an unauthorized user.

  3. Changes to the compiled dist/index.js file should be carefully reviewed to ensure they match the TypeScript source and don't introduce any vulnerabilities.

Overall, the changes look reasonable and I didn't see any major security red flags. However, it's always a good idea to thoroughly test updates to critical actions like checkout. The new tests and test-ubuntu-git image should help with that.

@renovate renovate bot force-pushed the renovate/actions-checkout-4.x branch from c249526 to 60809ba Compare April 28, 2024 15:50
@renovate renovate bot changed the title Update actions/checkout action to v4.1.3 Update actions/checkout action to v4.1.4 Apr 28, 2024
@github-actions GitHub Actions
Copy link

[puLL-Merge] - actions/checkout@v4.1.0..v4.1.4

Here is my review of the pull request:

Description

This PR makes several changes to the actions/checkout repository:

  1. Adds a new dependabot.yml configuration file to enable automatic dependency updates via Dependabot.
  2. Updates the container image used in the test-proxy job of the test.yml workflow to a custom actions/test-ubuntu-git image.
  3. Bumps the pinned version of actions/checkout used in a few places.
  4. Implements support for disabling sparse checkout in an existing checkout.
  5. Adds a new ssh-user input parameter to specify the SSH user.
  6. Updates the changelog and bumps the version to 4.1.4.

The main motivation seems to be enhancing the repository's testing and keeping its dependencies up-to-date. It also adds some new functionality around sparse checkouts and SSH configuration.

Changes

Changes

  • .github/dependabot.yml: Added new Dependabot configuration file
  • .github/workflows/test.yml: Updated container image for test-proxy job, bumped actions/checkout version in a few steps
  • .github/workflows/update-main-version.yml: Bumped pinned actions/checkout version
  • .github/workflows/update-test-ubuntu-git.yml: Added new workflow for publishing test-ubuntu-git container
  • CHANGELOG.md: Added entries for v4.1.1 to v4.1.4
  • README.md: Updated "What's new" section to point to releases page instead of listing changes
  • __test__/verify-basic.sh: Added check for sparse checkout being disabled
  • action.yml: Added new ssh-user input
  • dist/index.js: Regenerated build output
  • images/test-ubuntu-git.Dockerfile and images/test-ubuntu-git.md: Added new container image definition and docs
  • package.json: Bumped version to 4.1.4
  • src/git-command-manager.ts, src/git-source-provider.ts, src/git-source-settings.ts, src/input-helper.ts, src/url-helper.ts: Added support for disabling sparse checkout and specifying SSH user

Security Hotspots

  1. The custom actions/test-ubuntu-git container image should be carefully reviewed to ensure it only contains expected/necessary software and its build process is secure. Using custom containers expands the attack surface.
  2. The ssh-user input should be validated to prevent command injection if a shell command ends up being constructed with it. The current usage looks safe though.
  3. Dependabot configuration should be reviewed to ensure the defined update schedules and target branches are appropriate. Automated dependency updates are great for staying up-to-date but can also introduce unintended changes.

Overall the changes look straightforward and beneficial, just need to double check the new container image and SSH input handling. The thorough testing gives confidence in the correctness of the sparse checkout behavior changes. Nice work!

@renovate renovate bot force-pushed the renovate/actions-checkout-4.x branch from 60809ba to 4db0ec3 Compare May 8, 2024 21:21
@renovate renovate bot changed the title Update actions/checkout action to v4.1.4 Update actions/checkout action to v4.1.5 May 8, 2024
@renovate renovate bot force-pushed the renovate/actions-checkout-4.x branch from 4db0ec3 to dab0dd3 Compare May 20, 2024 19:23
@renovate renovate bot changed the title Update actions/checkout action to v4.1.5 Update actions/checkout action to v4.1.6 May 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ShivanKaul ShivanKaul Awaiting requested review from ShivanKaul ShivanKaul is a code owner

Assignees
No one assigned
Labels
puLL-Merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants