Use version tags for 3rd party GH Actions #3770
Conversation
This switches our third party GitHub Action references to use the major version tag rather than the SHA. This means the actions will automatically use the latest tag within that versions, and Dependabot updates will only be necessary when there is a major version bump where we will want to evaluate the included changes before updating. Signed-off-by: Sean McGinnis <[email protected]>
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: stmcginnis The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
size/S
We used shas intentionally because it means that you have T.O.F.U. and you don't have any surprise changes. The dependabot PRs can be reverted, but we can't go revert their tag changes. |
|
I thought that might be the case. 👍 |
|
@aojea might have other thoughts, but I think especially "we can trivially revert any issues" is worth it, even if we wind up with more dependabot PRs to review :-) |
|
No strong opinion here, I always prefer pinned dependencies, I don't really had much issues with GitHub actions dependencies so I can't really say ... I expect them to be very stable |
There's also the concern about effectively curl | bash into your CI infra (versus e.g. at least hash pinning) behind a mutable pointer. We currently don't allow github actions access to much but ... |
This switches our third party GitHub Action references to use the major version tag rather than the SHA. This means the actions will automatically use the latest tag within that versions, and Dependabot updates will only be necessary when there is a major version bump where we will want to evaluate the included changes before updating.