Github runs are warning/failing because of out of date node configuration
aiuto opened this issue · comments
Describe the bug
A few days ago, our github workflows started failing. The message from the workflow run is
Scorecard analysis
Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20:
actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab. For more information see:
https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/.
Reproduction steps
- install scorecard as per the installation instructions: https://github.com/ossf/scorecard-action#installation
- let the workflow run
- check project Security tab
- Note the "configuration errors" warning bar
Expected behavior
The install instructions should point to a version of actions/checkout that is compliant with Github's needs.
I also expect that the project has numbered releases so humans can reason about updates more easily.
This isn't due to node, but rather due to ossf/scorecard-action#997 (comment). Although both are due to out-of-date versions.
Please upgrade your version of scorecard action to v2.3.1 (whose hash is 0864cf19026789058feabb7e87baa5f140aac736
)
The install instructions
We have a patch for the starter workflow in review (actions/starter-workflows#2348), and will make similar changes to our scorecard action readme which has admittedly drifted out of date.
I also expect that the project has numbered releases so humans can reason about updates more easily.
For our rationale, please read "Pin actions to a full length commit SHA" and "Pin actions to a tag only if you trust the creator"
https://docs.github.com/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions.
You're more than welcome to use @v2
or @v2.3.1
in your workflow, but Scorecard recommends for pinned dependencies. Tools like dependabot can help maintain human readability in the form on version comments which the tools will update for you. E.g. https://github.com/ossf/scorecard/pull/3599/files