Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use actions-ecosystem/action-add/remove-labels #75

Merged
merged 4 commits into from
Apr 3, 2023
Merged

Use actions-ecosystem/action-add/remove-labels #75

merged 4 commits into from
Apr 3, 2023

Conversation

kenodegard
Copy link
Contributor

Description

Instead of using a custom implementation of adding/removing labels, should we use the third-party action (https://github.com/actions-ecosystem/action-add-labels, https://github.com/actions-ecosystem/action-remove-labels)?

Checklist - did you ...

  • Add a file to the news directory (using the template) for the next release's release notes?
  • Add / update necessary tests?
  • Add / update outdated documentation?

@conda-bot conda-bot added the cla-signed [bot] added once the contributor has signed the CLA label Feb 22, 2023
@jezdez
Copy link
Member

jezdez commented Mar 1, 2023

That's reasonable, https://github.com/actions-ecosystem is relatively well-known and trust-worthy. But as the GitHub docs mention, we should "harden" our use of GHA by referring to commit, not tags.

jezdez
jezdez previously requested changes Mar 1, 2023
View reviewed changes
Copy link
Member

@jezdez jezdez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should only allow actions from certain GitHub orgs in the conda organization settings FWIW. That may put a scope to the risk maybe?

@kenodegard kenodegard requested a review from jezdez March 1, 2023 17:30
@dbast
Copy link
Member

dbast commented Mar 1, 2023

related to that: Would be interesting to figure out how to update the pinned sha1s to newer tagged versions via dependabot/renovate ... dependabot seems to only supports .github/workflow/*.yml files... no composite action.yml support even though the syntax and versioning is the same.. not sure about renovate

@kenodegard
Copy link
Contributor Author

@dbast per this SO post, dependabot understands composite actions: https://stackoverflow.com/a/74997644/5239932

dbast
dbast previously approved these changes Mar 3, 2023
View reviewed changes
@kenodegard kenodegard requested a review from dbast March 3, 2023 19:49
@kenodegard kenodegard dismissed jezdez’s stale review April 3, 2023 20:18

stale review

@kenodegard kenodegard merged commit d111e47 into main Apr 3, 2023
@kenodegard kenodegard deleted the use-3party-action branch April 3, 2023 20:19
@github-actions github-actions bot added the locked [bot] locked due to inactivity label Apr 3, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 3, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@dbast dbast dbast approved these changes

@jezdez jezdez Awaiting requested review from jezdez

Assignees
No one assigned
Labels
cla-signed [bot] added once the contributor has signed the CLA locked [bot] locked due to inactivity
Projects
🔎 Review
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kenodegard @jezdez @dbast @conda-bot