GitHub workflows are used to:
run the test suite
build packages and upload to pypi and GitHub release
build the documentation and check the links
Some of these workflow need to access GitHub “secrets”,
which are private to the HyperSpy repository, in order to be able to upload to pypi or the
to push code to the other branches.
To reduce the risk that these “secrets” are made accessible publicly, for example, through the
injection of malicious code by third parties in one of the GitHub workflows used in the HyperSpy
organisation, the third party actions (those that are not provided by established trusted parties)
are pinned to the
SHA of a specific commit, which is trusted not to contain malicious code.
Updating GitHub Actions
The workflows in the HyperSpy repository use GitHub actions provided by established trusted parties and third parties. They are updated regularly by the dependabot in pull requests.
When updating a third party action, the action has to be pinned using the
SHA of the commit of
the updated version and the corresponding code changes will need to be reviewed to verify that it
doesn’t include malicious code.