Skip to content

Suggest semantic versioned tags only to suitable action publishers #17681

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Suggest semantic versioned tags only to suitable action publishers #17681

wants to merge 1 commit into from

Conversation

KengoTODA
Copy link

@KengoTODA KengoTODA commented May 7, 2022
edited
Loading

Hello, thanks for making the doc open and easy to discuss!
Here I want to discuss the idea to improve the consistency, hoping that it helps to improve users' experience and security.

Why:

The security guide recommends users avoid using tags when using third-party actions.
See "Pin actions to a full length commit SHA" and "Pin actions to a tag only if you trust
the creator" on the page for detail.

But the "Releasing and maintaining actions" doc suggests all action-authors provide semantic versioned tags, that will motivate action users to use tags instead of full length commit SHA.

Between these official docs, we have an inconsistent description at this moment.

What's being changed:

This proposal changed semantic versioned tags suggested only for internal-use actions.

It is OK for internal-use actions, like private actions used for audits because the author is not a "third-party" for users and it should be trusted by them.

Check off the following:

  • I have reviewed my changes in staging (look for "Automatically generated comment" and click Modified to view your latest changes).
  • For content changes, I have completed the self-review checklist.

Thanks for checking this PR! 👋

Writer impact (This section is for GitHub staff members only):

  • This pull request impacts the contribution experience
    • I have added the 'writer impact' label
    • I have added a description and/or a video demo of the changes below (e.g. a "before and after video")

@KengoTODA
docs: do not suggest updating old tags
ae062b6 
The security guide recommends users avoid using tags when using third-party actions.
See "Pin actions to a full length commit SHA" and "Pin actions to a tag only if you trust
the creator" on the following page:
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

But this doc suggests action authors provide semantic versioned tags, that will
motivate action users to use tags instead of full-length commit SHA.

To keep documents consistent, here we suggest semantic versioned tags only for internal-use actions.
It is OK for internal-use actions, like private actions used for audits because the author is not
a "third-party" for users and it should be trusted for them.

Signed-off-by: Kengo TODA <skypencil+github@gmail.com>
@welcome
Copy link

welcome bot commented May 7, 2022

Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

@github-actions github-actions bot added the triage Do not begin working on this issue until triaged by the team label May 7, 2022
@github-actions
Copy link
Contributor

github-actions bot commented May 7, 2022

Automatically generated comment ℹ️

This comment is automatically generated and will be overwritten every time changes are committed to this branch.

The table contains an overview of files in the content directory that have been changed in this pull request. It's provided to make it easy to review your changes on the staging site. Please note that changes to the data directory will not show up in this table.

Content directory changes

You may find it useful to copy this table into the pull request summary. There you can edit it to share links to important articles or changes and to give a high-level overview of how the changes in your pull request support the overall goals of the pull request.

Source Preview Production What Changed
actions/creating-actions/releasing-and-maintaining-actions.md fpt
ghec
ghes@ 3.4 3.3 3.2 3.1
ghae
 fpt
ghec
ghes@ 3.4 3.3 3.2 3.1
ghae

@ramyaparimi ramyaparimi added content This issue or pull request belongs to the Docs Content team actions This issue or pull request should be reviewed by the docs actions team waiting for review Issue/PR is waiting for a writer's review needs SME This proposal needs review from a subject matter expert and removed triage Do not begin working on this issue until triaged by the team labels May 10, 2022
@github-actions
Copy link
Contributor

Thanks for opening a pull request! We've triaged this issue for technical review by a subject matter expert 👀

@github-actions
Copy link
Contributor

This is a gentle bump for the docs team that this PR is waiting for technical review.

@github-actions github-actions bot added the SME stale The request for an SME has staled label May 17, 2022
@janiceilene
Copy link
Contributor

@KengoTODA Thanks so much for opening a pull request! Our docs are prescriptive and this doesn't follow along with our current guidance. I'm going to close this PR 💛

Thanks for your interest and passion in improving the GitHub docs ✨

@KengoTODA KengoTODA deleted the patch-3 branch July 13, 2022 13:27
@KengoTODA KengoTODA mentioned this pull request Jul 31, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team needs SME This proposal needs review from a subject matter expert SME stale The request for an SME has staled waiting for review Issue/PR is waiting for a writer's review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@KengoTODA @janiceilene @ramyaparimi