renovate: Update GitHub Actions via semver tags *with* SHAs #7
Conversation
kmurphy4
force-pushed
the
feature/actions-semver-and-hash
branch
2 times, most recently
from
127e8eb to
50c8d32
Compare
|
TODO: Make a PR with an equivalent change into each of our repos which use Renovate: |
hansi-zheng
left a comment
hansi-zheng
left a comment
There was a problem hiding this comment.
LGTM, I assume renovate would be able to rebase the opened PR after this change is in effect?
Yeah I think so, but I'll double-check. |
There are two primary ways to have Renovate keep thirdparty GitHub Actions up-to-date: 1. pin to a semantic version (`uses: foo/bar@v1.2.3`), or 2. pin to a commit hash (`uses: foo/bar@abcdef012345`) Approach (1) is much more understandable at-a-glance and more compatible with Renovate's "show the changelog" feature. Also, it avoids depending directly on the bleeding edge of the `master` branch of these actions. On the other hand, (2) is much better for security and reproducibility, since repo authors are free to overwrite tags whenever they wish. I noticed that https://github.com/astral-sh/uv was using a hybrid approach where they were using a syntax like 3. pin to both (`uses: foo/bar@abcdef012345 # v1.2.3`) which seems to be the best of both worlds. So this patch is just copypasta from https://github.com/astral-sh/uv/blob/574aa1ef110ef08293512eb200bd6881bb738179/.github/renovate.json5#L25-L35
The previous ref (8edcb1b...) was actually pointing to the HEAD of this repo which is a little ahead of the tag, though the only diff is to `README.md` and `CODEOWNERS` https://github.com/actions/checkout/compare/v4.2.2..8edcb1bdb4e267140fa742c62e395cd74f332709
kmurphy4
force-pushed
the
feature/actions-semver-and-hash
branch
from
50c8d32 to
806d6fd
Compare
Well, actually there's not really a way to check (there's no PRs Renovate would open), but I did already do a test of this as I mentioned in the PR description:
|
There are two primary ways to have Renovate keep thirdparty GitHub Actions up-to-date:
uses: foo/bar@v1.2.3), oruses: foo/bar@abcdef012345)Approach (1) is much more understandable at-a-glance and more compatible with Renovate's "show the changelog" feature. Also, it avoids depending directly on the bleeding edge of the
masterbranch of these actions.On the other hand, (2) is much better for security and reproducibility, since repo authors are free to overwrite tags whenever they wish.
I noticed that https://github.com/astral-sh/uv was using a hybrid approach where they were using a syntax like
uses: foo/bar@abcdef012345 # v1.2.3)which seems to be the best of both worlds. So this patch is just copypasta from
https://github.com/astral-sh/uv/blob/574aa1ef110ef08293512eb200bd6881bb738179/.github/renovate.json5#L25-L35
I tested this by running https://github.com/Everlaw/renovate-bot-config/actions/workflows/renovate-action.yml against this branch (with 259a149) and it created #9 🎉