github/slsa-verifier
1
0
Fork 0
mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-17 14:06:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
311b211a481bf4429bf7b4e992c3cba33818ff03
slsa-verifier/docs/CONTRIBUTING.md
Ramon Petgrave 23160d82c0 feat: workflow to update actions dist (#760) 
Add a new Post-Commit workflow, to make these renovate-bot updates a bit
easier.
Previously, we had to clone the PR locally, run `make package`, and then
push to the PR.
Now we would just need to use the github UI to invoke this new workflow
against the PR number.
We could also copy this over to the slsa-github-generator repo.

> A workflow to run against renovate-bot's PRs,
> such as `make package` after it updates the package.json and
package-lock.json files.
> The potentially untrusted code is first run inside a low-privilege
Job, and the diff is uploaded as an artifact.
> Then a higher-privilege Job applies the diff and pushes the changes to
the PR.
> It's important to only run this workflow against PRs from trusted
sources, after also reviewing the changes!

## Testing.

Tested in my own private fork, where when applicable, it pushed a commit
of changes to `dist/` folders
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806815483
  - https://github.com/ramonpetgrave64/slsa-verifier/pull/8/commits
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806841353
  - https://github.com/ramonpetgrave64/slsa-verifier/pull/16/commits

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
2024-05-06 17:56:35 -04:00

21 lines
762 B
Markdown
Raw Blame History

# Contributing
## Updating Github Actions Dependencies
### Renovate-Bot PRs
`renovate-bot` will periodically send PRs to update the `package.json` and `package-lock.json` in the Github Actions of this repo.
But, it will not also automatically recompile the packages into `.js` files.
We use a Workflow [Update actions dist post-commit](../.github/workflows/update-actions-dist-post-commit.yml) to
help maintainers easily recompile the Github Actions against a PR.
Use the UI to invoke the workflow
[update-actions-dist-post-commit.yml](https://github.com/slsa-framework/slsa-verifier/actions/workflows/update-actions-dist-post-commit.yml)
or invoke with
```shell
gh workflow run update-actions-dist-post-commit.yml -F pr_number=<pull request number>
```
Reference in New Issue View Git Blame Copy Permalink