Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

frizbee fails to pin the version of ruby/setup-ruby #175

Open
Moisan opened this issue Jul 13, 2024 · 7 comments
Open

frizbee fails to pin the version of ruby/setup-ruby #175

Moisan opened this issue Jul 13, 2024 · 7 comments
Assignees
Labels
bug Something isn't working

Comments

@Moisan
Copy link

Moisan commented Jul 13, 2024

Describe the issue

frizbee fails to pin the version of the ruby/setup-ruby action when the version is setup-ruby@v1.

To Reproduce

  • Download the following github action file: wget https://raw.githubusercontent.com/Homebrew/ci-orchestrator/e791dc96262bfd324d1e5238f428e68d2ef7ecca/.github/workflows/main.yml
  • frizbee actions main.yml

Note that no update is done to setup-ruby. I would expect to see a change from setup-ruby@v1 to something like

ruby/setup-ruby@161cd54b698f1fb3ea539faab2e036d409550e3c # v1.187.0

What version are you using?

0.0.20

@Moisan Moisan added the bug Something isn't working label Jul 13, 2024
@Moisan Moisan changed the title Provide a general summary of the issue frizbee fails to pin the version of the ruby/setup-ruby Jul 13, 2024
@Moisan Moisan changed the title frizbee fails to pin the version of the ruby/setup-ruby frizbee fails to pin the version of ruby/setup-ruby Jul 13, 2024
@rdimitrov
Copy link
Member

hey, @Moisan, thanks for raising this issue. I can confirm that I tried the steps you provided and I was able to reproduce it locally 👍

@jhrozek
Copy link
Contributor

jhrozek commented Jul 15, 2024

The issue is that ruby/setup-ruby@v1 is a branch, not a tag. By default, frizbee won't pin branches because the assumption we made is that if you use a branch, typically you want to follow the branch (a typical example is myaction@master).

This is configurable, e.g. with a config like this:

ghactions:
  exclude_branches:
    - main
    - master
  exclude:
    # Exclude the SLSA GitHub Generator workflow.
    # See https://github.com/slsa-framework/slsa-github-generator/issues/2993
    - slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml

stored in .frizbee.yml the action can be resolved:

frizbee actions ruby/setup-ruby@v1
ruby/setup-ruby@161cd54b698f1fb3ea539faab2e036d409550e3c

I am not sure if dependabot would update the action though, this needs some more testing.

@jhrozek
Copy link
Contributor

jhrozek commented Jul 15, 2024

The other option would be to modify the workflow to use a tag in the first place:

uses: ruby/setup-ruby@v1.187.0

then frizbee should be able to pin the action and put the magic comment in that helps dependabot to upgrade the action.

@Moisan
Copy link
Author

Moisan commented Jul 15, 2024

I see, I didn't know that this action was using a branch instead of a tag. I think frisbee warning about that would be useful.

Also note that I was using frizbee from the command line, not trough the action.

jhrozek added a commit to jhrozek/frizbee that referenced this issue Jul 17, 2024
We used to ignore all actions that were referenced with a branch, but
this is not really intuitive. Let's only ignore main and master.

Relates: stacklok#175
@jhrozek
Copy link
Contributor

jhrozek commented Jul 17, 2024

@Moisan we merged a commit that would only avoid pinning actions that reference main or master by default (although the behaviour is still configurable, including ignoring all branches). I was thinking about another commit that would do what you proposed - gather information about the actions we skip and why and presenting them to the user in the CLI.

@Moisan
Copy link
Author

Moisan commented Jul 18, 2024

Thank you!

I was thinking about another commit that would do what you proposed - gather information about the actions we skip and why and presenting them to the user in the CLI.

Yes that would also be very useful.

@blkt
Copy link
Contributor

blkt commented Oct 29, 2024

Hey @Moisan I just wanted to check if this still relevant or if the solution provided is sufficient.
If that's the case, would it be ok for you if we close this?

Regarding the additional behavior of skipping and reporting it to the user, we would love to look into a PR if you're interested to contributing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants