Conversation
There was a problem hiding this comment.
Pull request overview
This PR tests changes to the action-diff-triggers dependency by updating to an unreleased feature branch and modifying the input parameter name from diff_branch to ref. The changes appear to be for testing visibility improvements in the diff triggers action.
Changes:
- Updated bcgov/action-diff-triggers reference from a pinned SHA (v1.0.0) to a mutable feature branch (feat/visibility-improvements)
- Renamed the input parameter from
diff_branchtorefwhen calling the action-diff-triggers action
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Send triggers to diff action | ||
| - id: triggers | ||
| uses: bcgov/action-diff-triggers@a4753d53614cac4eb417cd35b05e0e401a76fc9d # v1.0.0 | ||
| uses: bcgov/action-diff-triggers@feat/visibility-improvements |
There was a problem hiding this comment.
The action reference has been changed from a pinned commit SHA with a version tag comment to a feature branch reference. This is problematic for several reasons:
- Feature branches are mutable and can change at any time, making builds non-reproducible
- The previous version used a commit SHA (a4753d53614cac4eb417cd35b05e0e401a76fc9d) with a version comment (v1.0.0), which follows security best practices for GitHub Actions
- This change removes the security benefits of SHA pinning and introduces unpredictability
For testing purposes, a feature branch reference might be acceptable temporarily, but this should not be merged to a production branch without reverting to a pinned SHA or version tag once the feature branch is merged and released.
| uses: bcgov/action-diff-triggers@feat/visibility-improvements | |
| uses: bcgov/action-diff-triggers@a4753d53614cac4eb417cd35b05e0e401a76fc9d # v1.0.0 |
No description provided.