Conversation
jsoref
commented
Apr 16, 2025
jsoref
commented
- Update workflows that are using deprecated actions that trigger deprecation warnings
- Update go code that was using deprecated io/ioutil module
- Stop workflows from running on forks as it seems implausible that anyone will ever have a pat for this other than the main repository.
Because you should not use `${{ ... }}` in a run: step.
| steps: | ||
| - name: Harden Runner | ||
| uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 | ||
| uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 |
There was a problem hiding this comment.
This is the latest release https://github.com/step-security/harden-runner/releases/tag/v2.11.1
| with: | ||
| egress-policy: audit | ||
| - name: Checkout repository | ||
| uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 |
There was a problem hiding this comment.
This is a really odd one. actions/checkout@629c2de doesn't resolve. But the workflow is able to use this sha. It appears to be a sha that references a replaced v2 tag:
Tagger: eric sciple <ericsciple@users.noreply.github.com>
Date: Tue Nov 2 12:49:38 2021 -0500
Update v2 tag
commit ec3a7ce113134d7a93b817d10a8272cb61118579
| egress-policy: audit | ||
| - name: Checkout repository | ||
| uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
There was a problem hiding this comment.
This is the latest release https://github.com/actions/checkout/releases/tag/v4.2.2
|
|
||
| # Initializes the CodeQL tools for scanning. | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@5f532563584d71fdef14ee64d17bafb34f751ce5 |
| # Initializes the CodeQL tools for scanning. | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@5f532563584d71fdef14ee64d17bafb34f751ce5 | ||
| uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 |
There was a problem hiding this comment.
This is the latest codeql-action action (as opposed to another artifact that the repository ships): https://github.com/github/codeql-action/releases/tag/v3.28.15
| uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 | ||
| uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 | ||
| with: | ||
| go-version: 1.24.1 |
There was a problem hiding this comment.
Note that this is greater than 1.16 where ioutil is deprecated, see https://pkg.go.dev/io/ioutil
| if [[ ! -e "~/.netrc" ]]; then | ||
| touch ~/.netrc | ||
| fi | ||
| printf "machine github.com login stepsecurity-infra-bot password ${{ secrets.PAT }}" >>~/.netrc |
There was a problem hiding this comment.
Best practice is to not use ${{ ... }} inside a run: statement and instead favor env variables.
| - run: go build -ldflags="-s -w" -o ./agent | ||
| - name: Configure aws credentials | ||
| uses: aws-actions/configure-aws-credentials@ea7b857d8a33dc2fb4ef5a724500044281b49a5e | ||
| uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 |
There was a problem hiding this comment.
This is the latest version https://github.com/aws-actions/configure-aws-credentials/releases/tag/v4.1.0
|
|
||
|
|
||
| - uses: goreleaser/goreleaser-action@5df302e5e9e4c66310a6b6493a8865b12c555af2 | ||
| - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0 |
There was a problem hiding this comment.
This is the latest version https://github.com/goreleaser/goreleaser-action/releases/tag/v6.3.0
| - name: Run coverage | ||
| run: sudo CI=true go test -race -coverprofile=coverage.txt -covermode=atomic | ||
| - uses: codecov/codecov-action@40a12dcee2df644d47232dde008099a3e9e4f865 | ||
| - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 |
There was a problem hiding this comment.
This is the latest version: https://github.com/codecov/codecov-action/releases/tag/v5.4.2
1 participant
