chromaui/chromatic-cli

Github action version by sha not supported

jmfrancois opened this issue · 5 comments

jmfrancois commented

Bug report

I need to follow security best practices.
We have moved to sha version to really pin the version used of every github actions following this documented best practice:
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

The only issue I have is with chromatic github action. Here are the logs:

Getting action download info
Download action repository 'actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3' (SHA:8f4b7f84864484a7bf31766abe9204da3cbe65b3)
Download action repository 'actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c' (SHA:64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c)
Download action repository 'chromaui/action@641759d315cf9db33a150a70cb904b7853049ca6' (SHA:641759d315cf9db33a150a70cb904b7853049ca6)
Error: An action could not be found at the URI 'https://api.github.com/repos/chromaui/action/tarball/641759d315cf9db33a150a70cb904b7853049ca6'

Looking at the repository there is only one commit, so previous version was 641759d315cf9db33a150a70cb904b7853049ca6 but now it doesn't exists anymore.

Could please update the way you push to the corresponding respository to keep previous versions with the history ?

ghengeveld commented

Hi Jean-Michel,

Our release process for the GitHub Action currently involves replacing the entire repository with the updated version. Admittedly this isn't the best way to go about it, and we've been thinking about supporting proper versioning (by using tags and not trashing the repo every time). It's hard to prioritize such a change though, because only a handful of customers have ever complained about it. We have an internal ticket tracking the task. I'll link this issue to it.

Meanwhile, an immediate workaround would be for you to fork our action repository and use that in your pipeline instead. That way you'll have complete control over when you upgrade to a newer version, and have a stable commit hash to pin down.

If you need more assistance, please talk to us via the chat when you're signed in on Chromatic.

Closing this issue for now. Will report back if we have an update.