Skip to content

renovate: Update GitHub Actions via semver tags *with* SHAs #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kmurphy4 merged 2 commits into from
Aug 2, 2025
Merged

renovate: Update GitHub Actions via semver tags *with* SHAs #18

kmurphy4 merged 2 commits into from
Aug 2, 2025

Conversation

@kmurphy4
Copy link
Collaborator

@kmurphy4 kmurphy4 commented Aug 1, 2025

This is the equivalent of Everlaw/fastText#7.

kmurphy4 added 2 commits August 1, 2025 07:54
@kmurphy4
renovate: Update GitHub Actions via semver tags *with* SHAs
e4ca490 
There are two primary ways to have Renovate keep thirdparty GitHub
Actions up-to-date:

1. pin to a semantic version (`uses: foo/bar@v1.2.3`), or
2. pin to a commit hash (`uses: foo/bar@abcdef012345`)

Approach (1) is much more understandable at-a-glance and more compatible
with Renovate's "show the changelog" feature.  Also, it avoids depending
directly on the bleeding edge of the `master` branch of these actions.

On the other hand, (2) is much better for security and reproducibility,
since repo authors are free to overwrite tags whenever they wish.

I noticed that https://github.com/astral-sh/uv was using a hybrid
approach where they were using a syntax like

3. pin to both (`uses: foo/bar@abcdef012345 # v1.2.3`)

which seems to be the best of both worlds.  So this patch is just
copypasta from
https://github.com/astral-sh/uv/blob/574aa1ef110ef08293512eb200bd6881bb738179/.github/renovate.json5#L25-L35
@kmurphy4
ci: Set actions/checkout to latest tagged version
f018889 
The previous ref (8edcb1b...) was actually pointing to the HEAD of
this repo which is a little ahead of the tag, though the only diff
is to `README.md` and `CODEOWNERS` https://github.com/actions/checkout/compare/v4.2.2..8edcb1bdb4e267140fa742c62e395cd74f332709
@kmurphy4 kmurphy4 requested a review from a team as a code owner August 1, 2025 15:40
@kmurphy4 kmurphy4 mentioned this pull request Aug 1, 2025
Merged
hansi-zheng
hansi-zheng approved these changes Aug 1, 2025
View reviewed changes
Copy link

@hansi-zheng hansi-zheng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kmurphy4 kmurphy4 merged commit 7bf5c62 into master Aug 2, 2025
2 checks passed
@kmurphy4 kmurphy4 deleted the feature/actions-semver-and-hash branch August 2, 2025 02:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hansi-zheng hansi-zheng hansi-zheng approved these changes

Assignees

@hansi-zheng hansi-zheng

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kmurphy4 @hansi-zheng