Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update actions/checkout action to v4.1.4 #573

Merged
merged 1 commit into from
Apr 29, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 24, 2024

Mend Renovate

This PR contains the following updates:

Package Type Update Change
actions/checkout action patch v4.1.1 -> v4.1.4

Release Notes

actions/checkout (actions/checkout)

v4.1.4

Compare Source

v4.1.3

Compare Source

What's Changed

Full Changelog: actions/checkout@v4.1.2...v4.1.3

v4.1.2

Compare Source


Configuration

📅 Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from a team as a code owner April 24, 2024 02:02
Copy link

[puLL-Merge] - actions/checkout@v4.1.1..v4.1.3

Here is my review of the PR:

Description

This PR makes several changes and additions to the actions/checkout repository:

  • Bumps the version to 4.1.3
  • Adds support for disabling sparse checkout when the sparse-checkout input is not provided
  • Introduces a new ssh-user input to specify the SSH user to use when fetching via SSH
  • Adds a new test-ubuntu-git Docker image for testing actions/checkout in CI/CD
  • Updates the minimum required Git version for sparse checkout to 2.28

The motivation seems to be to fix some bugs, add some new functionality, and improve the testing setup.

Changes

Changes

  • .github/workflows/test.yml - Adds a new test for disabling sparse checkout, uses new test-ubuntu-git image for testing
  • .github/workflows/update-main-version.yml - Pins actions/checkout to a stable version for the version update workflow
  • .github/workflows/update-test-ubuntu-git.yml - New workflow to build and publish the test-ubuntu-git image
  • CHANGELOG.md - Documents changes in 4.1.1 and 4.1.2
  • README.md - Documents new ssh-user input
  • __test__/* - Updates tests for sparse checkout version check and new mocks
  • action.yml - Adds ssh-user input
  • dist/index.js - Compiled JavaScript, not worth reviewing
  • images/test-ubuntu-git.Dockerfile - New Dockerfile for test-ubuntu-git image
  • images/test-ubuntu-git.md - Documentation for new test-ubuntu-git image
  • package.json - Bumps version to 4.1.3
  • src/git-command-manager.ts - Implements disableSparseCheckout, updates minimum version for sparse checkout
  • src/git-source-provider.ts - Disables sparse checkout if not enabled
  • src/git-source-settings.ts - Adds sshUser to settings interface
  • src/input-helper.ts - Reads ssh-user input
  • src/url-helper.ts - Uses ssh-user when building SSH URL

Security Hotspots

  1. The new ssh-user input in action.yml could potentially allow specifying an arbitrary user for the SSH connection. This input should be validated to ensure only authorized users can be specified. Risk level - Medium
  2. The test-ubuntu-git image build and publish process in .github/workflows/update-test-ubuntu-git.yml should ensure the base Ubuntu image is kept up-to-date and scanned for vulnerabilities before publishing. Risk level - Low

Overall this looks like a solid PR that fixes some issues and adds useful functionality. Just need to keep an eye on the security aspects of the SSH user input and test image publishing. Nice work!

@renovate renovate bot force-pushed the renovate/actions-checkout-4.x branch from de569be to 2419a52 Compare April 28, 2024 17:13
@renovate renovate bot changed the title chore(deps): update actions/checkout action to v4.1.3 chore(deps): update actions/checkout action to v4.1.4 Apr 28, 2024
Copy link

[puLL-Merge] - actions/checkout@v4.1.1..v4.1.4

Description

This PR makes several changes to the actions/checkout GitHub Action:

  • Adds a dependabot configuration file to automate dependency updates
  • Updates the actions/checkout version used in CI workflows
  • Fixes an issue with disabling sparse checkouts
  • Adds support for configuring the SSH user
  • Updates documentation and CHANGELOG
  • Adds a new container image for testing
Changes

Changes

  • .github/dependabot.yml: Added new file to configure Dependabot for automated dependency updates
  • .github/workflows/test.yml:
    • Updated actions/checkout version from v3 to v4.1.1
    • Added test for verifying sparse checkout is disabled correctly
    • Updated test container image to ghcr.io/actions/test-ubuntu-git:main
  • .github/workflows/update-main-version.yml: Updated actions/checkout version to v4.1.1
  • .github/workflows/update-test-ubuntu-git.yml: Added new workflow to publish test-ubuntu-git container image
  • CHANGELOG.md: Added details for v4.1.1 to v4.1.4 releases
  • README.md: Added documentation for new ssh-user input parameter
  • action.yml: Added new ssh-user input
  • src/git-command-manager.ts:
    • Added MinimumGitSparseCheckoutVersion constant
    • Added disableSparseCheckout() function
    • Store git version in gitVersion property
  • src/git-source-provider.ts: Disable sparse checkout if not enabled
  • src/git-source-settings.ts: Added sshUser property
  • src/input-helper.ts: Read ssh-user input
  • src/url-helper.ts: Use configured SSH user for fetch URL
  • images/: Added Dockerfile and README for new test-ubuntu-git container image

Security Hotspots

  1. ssh-user input allows specifying arbitrary SSH usernames which could enable impersonation if misused. However, this would require the attacker to already have credentials to the repo. Low risk.
  2. test-ubuntu-git container runs as root by default which is not ideal from a security perspective. Consider using a non-root user. Low risk for a test/CI image.
  3. Dependabot configuration automates dependency updates which could introduce vulnerabilities if the updates are not reviewed carefully. However, it is configured to only do patch/minor updates. Low risk.

In summary, the changes look reasonable from a security perspective. The main suggestions would be to review Dependabot PRs carefully and consider running the test container as a non-root user if practical. Nice work on the detailed tests, documentation and changelog!

@thypon thypon merged commit edd07a6 into main Apr 29, 2024
8 checks passed
@thypon thypon deleted the renovate/actions-checkout-4.x branch April 29, 2024 22:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant