New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: reference actions using tags #4086
Conversation
The |
In my opinion, all of those references are discussing third party actions. The GitHub provided actions under the Regarding "if a broken commit is made to an action's branch then we will immediately feel it." Put bluntly: I don't care. What I do care about is getting far fewer dependabot (or whatever other auto check bot) notifications that a new release is available. I don't care if they get automerged or not, the notifications still fill up my inbox with useless information. Referencing I think it is highly unlikely we are going to be hit by any severe issue in the core GitHub actions. I am very willing to accept an occasional disruption in favor of reduced stress. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
targetting the major tags lets us to get fewer dependabot notification and check manually for major releases
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
@jsumners I don't think these actions will bump majors very often. The disruption will be minimal for one repo. I still think keeping it to a tag like this is ok. |
Thanks @luisorbaiceta, got that one in 57b77ad
I think it's a good idea to reduce Dependabot notifications @jsumners, but I think we're looking in the wrong place. |
I expressed my opinion on this already and I disagreed with @jsumners introducing this change arbitrarily. Ultimately my main concern around using branch references is that what lands in the main branch is not deemed stable, so using it is unadvisable. Using major tag references instead is in my opinion the best compromise between staying up to date with fixes and improvements to the action, limiting the noise produced by dependabot and relying on something that's stable. |
I think most of us are in favor of landing this. Is there anything more you'd like to add @jsumners ? |
Awesome! Landed |
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Using
main
is asking for trouble, if a broken commit is made to an action's branch then we will immediately feel it.It is considered the least secure method of referencing GitHub Actions.
If we want to be as secure as possible then we should be referencing them using the full length commit SHAs.
Sources:
Checklist
and the Code of conduct