Using hashes for all actions #81
Conversation
| @@ -21,10 +21,10 @@ jobs: | |||
| if: github.repository == 'scientific-python/upload-nightly-action' | |||
|
|
|||
| steps: | |||
| - uses: actions/checkout@v4 | |||
| - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | |||
There was a problem hiding this comment.
@tupui you said that maybe we had to use hash:hash ?
There was a problem hiding this comment.
I'm slightly less concerned about these for projects that are known. But maybe I don't understand @tupui's point.
There was a problem hiding this comment.
I am trying to find where I read that 😅 Still digging but yes the hack was that if you had a branch named as the hash, then it would be picked up. In the article they were mentioning some protections from GitHub but there was still a way to do the hack IIRC.
|
Given that we didn't find the syntax of specifying that the hash is a hash, let's go ahead with this as is. I tried to create 40 long hexa branches but couldn't do that on the GH web interface, nor I could push such a branch from a local checkout. 
|
|
Normal for CI to fail? |
I believe it is expected to fails for all but @matthewfeickert |
No, it has nothing to do with my account, it just will always fail if a PR from a fork as the CI requires secrets that are repo/org specific, as described in #32 (comment) |
SGTM, so let's merge. |
Oh, ok. I haven't realized that you didn't open your PRs from your fork, just noticed that those all have the green tickmarks while the rest are crossed out. |
No description provided.