[Enhancement] Fix unpinned dependencies

[lprimak]

Search before asking

• I had searched in the issues and found no similar issues.

Enhancement Request

It looks like there are new unpinned dependencies that are being reported against Shiro:

Pinned-Dependencies
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/labeler.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/apache/shiro/labeler.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pre-commit.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/apache/shiro/pre-commit.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pre-commit.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/apache/shiro/pre-commit.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pre-commit.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/apache/shiro/pre-commit.yml/main?enable=pin
Warn: pipCommand not pinned by hash: .github/workflows/pre-commit.yml:42
Warn: pipCommand not pinned by hash: .github/workflows/pre-commit.yml:43
Info: 13 out of 17 GitHub-owned GitHubAction dependencies pinned
Info: 1 out of 1 third-party GitHubAction dependencies pinned
Info: 0 out of 2 pipCommand dependencies pinned

Describe the solution you'd like

Fix this / pin with a hash

Are you willing to submit PR?

• Yes I am willing to submit a PR!

[lprimak]

@jbampton can you take care of this please?

[jbampton]

Yes I will work on this. You can assign me.

[lprimak]

I got PR created: #2384 you can close / re-create if needed or create another one and I'll close mine.

[jbampton]

I have used Step Security before.

[jbampton]

The two below lines basically say you should have a Python requirements file with your dependencies pinned.

So we are using pre-commit which is a Python package. It is designed to run on your local machine.

I did try to add support in #2341 but it was banned straight away

Warn: pipCommand not pinned by hash: .github/workflows/pre-commit.yml:42
Warn: pipCommand not pinned by hash: .github/workflows/pre-commit.yml:43

[lprimak]

John, is does precommit run on GH action runner or is it strictly run on users machine?
I don’t see it running on my machine. Am I confused?

[jbampton]

We have pre-commit running with GitHub Actions.

But pre-commit is designed to run on your local machine they are commit hooks that run on git commit.

So by running the pre-commit tests locally you find the issues first before pushing up to the GitHub CI which saves a lot of time.

So you have not installed pre-commit and the hooks locally but I have and that is what everyone does that uses git hooks:

https://pre-commit.com

"Git hook scripts are useful for identifying simple issues before submission to code review. We run our hooks on every commit to automatically point out issues in code such as missing semicolons, trailing whitespace, and debug statements. By pointing these issues out before code review, this allows a code reviewer to focus on the architecture of a change while not wasting time with trivial style nitpicks."

pre-commit is a Python package:

https://pypi.org/project/pre-commit/

Have a quick read of some docs I wrote for Apache CloudStack on pre-commit

https://github.com/apache/cloudstack/blob/main/PRE_COMMIT.md

Also some Apache projects integrate Makefiles for convenience to run the pre-commit commands.

Example:

https://github.com/apache/tooling-trusted-releases/blob/d9de04989ab694cc84836565824e8b4e165b3b54/Makefile#L31

Also Apache Airflow is a huge git hooks user. They have about 900 lines in their pre-commit config

https://github.com/apache/airflow/blob/main/.pre-commit-config.yaml

[lprimak]

Thank you