Skip to content

build: pin GHA to commit SHAs, add workflow permissions and dependabot#4601

Merged
markmandel merged 3 commits into
agones-dev:mainfrom
markmandel:gha/pin-shas
Jun 1, 2026
Merged

build: pin GHA to commit SHAs, add workflow permissions and dependabot#4601
markmandel merged 3 commits into
agones-dev:mainfrom
markmandel:gha/pin-shas

Conversation

@markmandel
Copy link
Copy Markdown
Member

@markmandel markmandel commented Jun 1, 2026

What type of PR is this?

Uncomment only one /kind <> line, press enter to put that in a new line, and remove leading whitespace from that line:

/kind breaking
/kind bug

/kind cleanup

/kind documentation
/kind feature
/kind hotfix
/kind release

What this PR does / Why we need it:

Pin all GitHub Actions references to immutable commit SHAs with inline version comments. Upgrade fossas/fossa-action from @main to v1.9.0. Add top-level permissions: {} to all workflow files and a missing contents: read block to fossa.yml (fixes code scanning alert #23). Add .github/dependabot.yml to enable weekly version update PRs for GitHub Actions.

This was done (a) because it's a good idea, and (b) because we kept getting malicious PRs trying to get us to point GitHub Actions to invalid SHA targets.

Which issue(s) this PR fixes:

N/A

Special notes for your reviewer:

https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions recommends this.

@markmandel
build: pin GHA to commit SHAs, add workflow permissions and dependabot
d2b9edf 
Pin all GitHub Actions references to immutable commit SHAs with inline
version comments. Upgrade fossas/fossa-action from @main to v1.9.0.
Add top-level permissions: {} to all workflow files and a missing
contents: read block to fossa.yml (fixes code scanning alert agones-dev#23).
Add .github/dependabot.yml to enable weekly version update PRs for
GitHub Actions.

This was done (a) because it's a good idea, and (b) because we kept
getting malicious PRs trying to get us to point GitHub Actions to
invalid SHA targets.

Signed-off-by: Mark Mandel <mark@compoundtheory.com>
@markmandel markmandel requested a review from a team June 1, 2026 18:39
@markmandel markmandel added the area/build-tools Development tooling. I.e. pretty much everything in the `build` directory. label Jun 1, 2026
@github-actions github-actions Bot added kind/cleanup Refactoring code, fixing up documentation, etc size/S labels Jun 1, 2026
@markmandel
Copy link
Copy Markdown
Member Author

markmandel commented Jun 1, 2026

@lacroixthomas particularly want your eyes on this, since you've been doing more with GitHub actions, and you did the fossa bot.

@agones-bot
Copy link
Copy Markdown
Collaborator

agones-bot commented Jun 1, 2026

Build Failed 😭

Build Id: 4475fbb5-5970-4311-a550-adc5e13cba2a

Status: FAILURE

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

@markmandel markmandel mentioned this pull request Jun 1, 2026
Merged
lacroixthomas
lacroixthomas approved these changes Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@lacroixthomas lacroixthomas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked the SHA commits one by one, LGTM !
Also, thanks for putting the actual version it points to as a comment next to it 👌🏼

@markmandel markmandel enabled auto-merge (squash) June 1, 2026 21:30
@agones-bot
Copy link
Copy Markdown
Collaborator

agones-bot commented Jun 1, 2026

Build Failed 😭

Build Id: cadc7cd8-d51f-4571-b14e-52d60dbba4d6

Status: FAILURE

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

@markmandel
Copy link
Copy Markdown
Member Author

markmandel commented Jun 1, 2026

Hoisted on my own linter!

@markmandel
Linter updates
5bae142 
Signed-off-by: Mark Mandel <mark@compoundtheory.com>
@agones-bot
Copy link
Copy Markdown
Collaborator

agones-bot commented Jun 1, 2026

Build Succeeded 🥳

Build Id: f687649c-12ea-4155-88a9-641a2df406a3

The following development artifacts have been built, and will exist for the next 30 days:

A preview of the website (the last 30 builds are retained):

To install this version:

git fetch https://github.com/googleforgames/agones.git pull/4601/head:pr_4601 && git checkout pr_4601
helm install agones ./install/helm/agones --namespace agones-system --set agones.image.registry=us-docker.pkg.dev/agones-images/ci --set agones.image.tag=1.59.0-dev-5bae142

@markmandel markmandel merged commit b981f6c into agones-dev:main Jun 1, 2026
4 checks passed
@markmandel markmandel deleted the gha/pin-shas branch June 1, 2026 23:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lacroixthomas lacroixthomas lacroixthomas approved these changes

Assignees

No one assigned

Labels

area/build-tools Development tooling. I.e. pretty much everything in the `build` directory. kind/cleanup Refactoring code, fixing up documentation, etc size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@markmandel @agones-bot @lacroixthomas