Thanks. Could you please let me know how to obtain the GitHub action SHA,
so I can update it when a newer version is required in the future ?

@wkliao I'd recommend using Dependabot to automatically create dependency update PRs for GitHub Actions. Dependabot can update the hash and comment.

Usage of a dependency-update tool is another of the OpenSSF scorecard metrics. Kitware has funding to help PESO member projects improve security by implementing the OpenSSF scorecard recommendations. If you're interested, I'd be happy to make a follow-up PR to add a Dependabot config to create update PRs for these actions automatically.

@wkliao I see that you rebased my branch. Is there anything I need to do to get this merged at this point?

I think this was done automatically by GitHub when the branch (master in this case) a PR is based on gets a push.

-        - uses: actions/checkout@v4
+        - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

Could you please help me understand better of this PR?
Why would missing the GHA SHA numbers become a security issue?
I guess it makes sense for a 3rd party software, but am not sure whether it is necessary for the GHA.

@wkliao Tags can be reassigned, meaning that tags can be reassigned to malicious commit if a GHA is compromised. A high profile example of this is the tj-actions hack last year. All projects using hash-pinned dependencies were unaffected, while projects using the tag were compromised.

Thanks for your prompt reply.

I understand the risk when using a third-party software.
But the ones changed in this PR are not third-party. They are github's.

However, PnetCDF does have some dependencies on other 3rd party software, such as MPICH, OpenMPI, etc.

@wkliao While actions/checkout is maintained by GitHub and thus presumably has lower chances of being compromised, it certainly can't hurt to hash-pin it. Hash-pinning actions/checkout also means that we can add a CI check later to verify that all GHA dependencies are hash-pinned, meaning that future 3rd-party dependencies won't be missed if they're added in the future.

Thanks.

Could you please update this PR by adding that Dependabot configuration you mentioned earlier, to enable the hash number retrieval automatically?

In addition, all yaml files were recently split into two to shorten their run time.
Could you also update this PR accordingly?

@wkliao Done. I just applied the same changes to each of the new files and added a Dependabot config for GitHub Actions.

@wkliao FYI, Dependabot will run immediately any time you edit the config file, so Dependabot will run immediately as soon as this PR is merged. You can also run Dependabot manually via the link in the repo settings (again, once this PR is merged and the default branch has a Dependabot config).

Thanks for the info and your PR.

Here's a PR Dependabot created as a result of the initial run: #205