CI - LibertyDSNP/frequency GitHub Wiki

Diagrams

• Frequency CI Flow Diagram

GitHub Actions

The preference for action usage:

1. Official Actions from GitHub (no need to whitelist)
2. Actions from Verified Creators (must be pinned to a specific version and whitelisted)
3. All other actions (must be thoroughly reviewed, pinned to SHA and whitelisted)

Pinning Guidelines

Each GitHub action used in CI must be pinned either to a specific version tag or SHA. The general pinning rules are:

1. The following actions can be pinned to specific version, i.e. @v1, @v2, @v0.0.1 etc. No match strings are allowed.

   • Official GitHub Actions; OR
   • Actions from verified creators displaying "Verified Creator" badge in the GitHub Official Marketplace)
     

2. All other actions must be pinned to the exact SHA per GitHub's Using third-party actions guidelines.

Whitelisting a New External GitHub Action

Any new external action that is not currently on the approved organization list or a new version of the previously approved action will need to be whitelisted before it can be used in CI.

To whitelist a new action:

For Developers:

1. Send a request with the GitHub link to the new action/version you would like to be whitelisted to one of the LibertyDSNP organization owners (currently @wilwade, @demisx, @sbendar). Please briefly indicate the rationale for your request.
2. Upon review, the organization owner will respond with either approval or denial of your request. If denied, the organization owner is encouraged to specify the reason for denial and what may be necessary to gain an approval.

For Organization Owners:

Use the Organization Actions Settings page to manage whitelisted actions. If an action cannot be approved, please respond with the reason and any suggestions on how this request may gain your approval. The better effort is made for the requester to understand the denial reason, the less back and forth may be there for you in the future.