You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is a chicken-and-egg problem: in order to generate the release, we need the right hash to pin the action's docker image. But to generate it, we need a release. We may need to split the problem into 2 stages:
Generate the docker image, maybe via a workflow triggered by dispatch even that we trigger manually. This may later be automated via a workflow that looks at every push event whether the hash was edited in the previous PR.
@naveensrinivasan I now remember why this needs some update. We need to generate the action container image based on a manual GitHub trigger. It does not work on a push trigger.
https://github.com/ossf/scorecard-action/blob/main/action.yaml#L48 we need to pin our docker.
However, there's a problem because we currently generate the docker file upon new release generation thru this workflow https://github.com/ossf/scorecard-action/blob/main/.github/workflows/docker-sign.yml
This is a chicken-and-egg problem: in order to generate the release, we need the right hash to pin the action's docker image. But to generate it, we need a release. We may need to split the problem into 2 stages:
@naveensrinivasan @azeemshaikh38 other ideas?
The text was updated successfully, but these errors were encountered: