[all-commits] [llvm/llvm-project] f3524e: Hashpin sensitive dependencies and configure depen...

diogoteles08 via All-commits all-commits at lists.llvm.org
Mon Jan 15 12:30:54 PST 2024 

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: f3524e9aebbfabed0c60d0087b39ce14d8f778da
      https://github.com/llvm/llvm-project/commit/f3524e9aebbfabed0c60d0087b39ce14d8f778da
  Author: Diogo Teles Sant'Anna <diogoteles at google.com>
  Date:   2024-01-15 (Mon, 15 Jan 2024)

  Changed paths:
    A .github/dependabot.yml
    M .github/workflows/release-binaries.yml
    M .github/workflows/release-tasks.yml
    A llvm/docs/requirements-hashed.txt

  Log Message:
  -----------
  Hashpin sensitive dependencies and configure dependabot to update them automatically (#75859)

Closes #75620 

As I mentioned on the issue, this PR aims to hash-pin the CI
dependencies used on sensitive context -- i.e., they either are called
with write permissions, or are being used to build critical artifacts
like a release. In summary, this PR brings 3 changes:

1. Hash pin GitHub Actions called on sensitive context
2. Hash pin python dependencies used on sensitive context
3. Configure dependabot to automatically update those hashes
I'm further explaining the steps bellow.

The dependencies in format of GitHub Actions, I simply hash-pinned them.
I also made sure to keep the human-readable version as comments at the
same line.

At the
[release-tasks.yml](https://github.com/llvm/llvm-project/blob/main/.github/workflows/release-tasks.yml)
file, I've changed the installation method of some python dependencies
to install them considering their hashpinning. That required the
generation of a requirements file that had all the correct hashes, and
for that I used [pip-tools](https://pypi.org/project/pip-tools/2.0.0/).

While configuring dependabot, I set it to send a monthly PR updating all
the GitHub Actions, and a weekly PR to update any python dependency
required by
[/llvm/docs/requirements.txt](https://github.com/llvm/llvm-project/blob/main/llvm/docs/requirements.txt).

Let me know if you have any questions or concerns, I'd be happy to
clarify and help.

Thanks!

---------

Signed-off-by: Diogo Teles Sant'Anna <diogoteles at google.com>

More information about the All-commits mailing list