Suggestions for Improved Management of GITHUB_TOKEN and Tagging Practices

[iamfj]

Dear Maintainers,

I hope this message finds you well. I am writing to express some concerns regarding the current handling of the GITHUB_TOKEN and the deletion of existing tags within the project. As an active user and advocate for your GitHub action, I've noticed that recent changes have impacted both individual and organizational workflows that rely on your tool.

I understand the complexities involved in maintaining such a project and appreciate the effort you put into it. However, I believe that the stability and reliability of the action could be significantly improved by adopting more stringent change management practices. Specifically, I suggest:

1. Ensuring that updates do not alter or invalidate the GITHUB_TOKEN unexpectedly.
2. Avoiding the deletion of tags once they have been established, as this can disrupt users' dependencies and deployment pipelines.
3. Implementing a clear communication strategy for upcoming changes, especially those that could be considered breaking changes. This might include updating documentation, sending out release notes, or using other channels to inform users ahead of time.

I also want to extend an offer to assist in optimizing the release workflows for this action. I believe that together, we can enhance the reliability of releases and improve overall developer experience. I am more than willing to contribute my time and resources to help make this happen.

Please let me know your thoughts on this matter and whether there is an opportunity for me to assist. I am looking forward to your response and am eager to contribute to the future success of this project.

Thank you for your time and consideration.

Best regards, Fabian

[ataylorme]

Hi Fabian, I appreciate you reaching out. Can you elaborate on what tags you are relying on that were deleted?

The project follows semantic versioning. The current release is v2 and there is work on v3 on-going as it will has breaking changes to the GITHUB_TOKEN input. I plan to create release notes when a 3.0.0 version is released/a tag created. Right now v3 is just a branch

[iamfj]

Thank you for your prompt response and for addressing our concerns.

I would like to clarify that we have been utilizing version 3 (v3) of your GitHub action for several months without issue. However, as of today, we encountered a significant problem where the v3 tag appears to have been removed or altered, leading to widespread failures across our pipelines.

Additionally, in recent days, we've observed erratic behavior related to the GITHUB_TOKEN and its interaction with your action. It seems that the code associated with the v3 tag has been undergoing frequent changes, which has resulted in inconsistent performance and reliability issues. This situation was further complicated when Dependabot recommended updating to v3, suggesting that it was a stable release.

I appreciate your team's commitment to resolving these issues and am willing to provide additional information or assistance as needed to help rectify the situation. Our primary goal is to ensure a stable and reliable workflow for our projects, and we believe that with your support, we can achieve this.

Thank you once again for your attention to these matters. I look forward to your response.

[ataylorme]

I am not sure how you have been using version 3 for many months when it has not existed that long.

I created a v3 branch (not tag or release) about a month ago on January 27th, 2024.

I would advise you stick to v2 until v3 is released. If you would like a specific tag you can use 2.2.0

For the Dependabot suggestion to upgrade it was mentioned in #76 and I renamed the branch from v3 to v3-beta to make it clearer v3 is still a work in progress

[iamfj]

To confirm, you are correct: Dependabot did indeed suggest the update to version 3 (v3) of your GitHub action on January 29th. This automated recommendation led us to adopt v3 across our projects, under the assumption that this version was stable and ready for production use.

[ataylorme]

And that was a genuine mistake on my part which I apologize for. I did not realize that Dependabot would pick up the branch being created without a release/tag. My understanding was that a release/tag is needed but that obviously isn’t the case.

I would advise you to go back to v2 until v3 is released

[iamfj]

Thank you for your quick and honest response regarding the Dependabot situation with the v3 branch. Mistakes happen, and your transparency in addressing this issue is greatly appreciated.

Following your suggestion, we will revert to using version 2 (v2) of the GitHub action until version 3 (v3) is officially ready for release. This approach seems to be the best course of action to maintain stability in our projects.

Furthermore, I would like to extend our support for the ongoing development and maintenance of this GitHub action. We value this action highly and are more than willing to contribute in any way that can help enhance its reliability.

Please feel free to reach out if there is anything specific that we can assist with. We're here to help and look forward to contributing to the success of this project.

Thank you once again for addressing this matter promptly and for your dedication to the community. 🙏🏼 🚀

[ataylorme]

3.0.0 has been released. Please update any references to the v3 branch instead of v3-beta