feat: alpha release #69
Conversation
|
✅ Code Quality
|
![datadog-datadog-prod-us1[bot]](https://avatars.githubusercontent.com/u/365230?s=60&v=4){kind=small}
| NODE_AUTH_TOKEN: ${{ secrets.ENV_NPM_TOKEN }} | ||
|
|
||
| - name: Create GitHub Release | ||
| uses: actions/github-script@v7 |
There was a problem hiding this comment.
🔴 High: Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2By default, the rule allows the following actions without pinning: "actions/checkout", "datadog/datadog-sca-github-action", "datadog/datadog-static-analyzer-github-action"
Arguments
Use the rule argument allow to allow a list of actions without pinning. The list is comma-separated.
rulesets:
- github-actions:
rules:
unpinned-actions:
arguments:
allow: actions/checkout,datadog/datadog-static-analyzer-github-action
| echo "//registry.npmjs.org/:_authToken=${{ secrets.ENV_NPM_TOKEN }}" > ~/.npmrc | ||
| npm config set access public | ||
| cd packages/browser | ||
| npm publish --tag alpha |
Motivation
publishing to the alpha channel on main for snapshot releases to help improve stability of
previewand other release channels