renovate: Update GitHub Actions via semver tags *with* SHAs#18
Merged
renovate: Update GitHub Actions via semver tags *with* SHAs#18
Conversation
There are two primary ways to have Renovate keep thirdparty GitHub Actions up-to-date: 1. pin to a semantic version (`uses: foo/bar@v1.2.3`), or 2. pin to a commit hash (`uses: foo/bar@abcdef012345`) Approach (1) is much more understandable at-a-glance and more compatible with Renovate's "show the changelog" feature. Also, it avoids depending directly on the bleeding edge of the `master` branch of these actions. On the other hand, (2) is much better for security and reproducibility, since repo authors are free to overwrite tags whenever they wish. I noticed that https://github.com/astral-sh/uv was using a hybrid approach where they were using a syntax like 3. pin to both (`uses: foo/bar@abcdef012345 # v1.2.3`) which seems to be the best of both worlds. So this patch is just copypasta from https://github.com/astral-sh/uv/blob/574aa1ef110ef08293512eb200bd6881bb738179/.github/renovate.json5#L25-L35
The previous ref (8edcb1b...) was actually pointing to the HEAD of this repo which is a little ahead of the tag, though the only diff is to `README.md` and `CODEOWNERS` https://github.com/actions/checkout/compare/v4.2.2..8edcb1bdb4e267140fa742c62e395cd74f332709
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is the equivalent of Everlaw/fastText#7.