The github action would only trigger when the pom.xml was changed. If someone makes a PR where the lockfile.json is changed but the pom stays the same. The maven-lockfile github action would not trigger and a faulty lockfile might accidentally get commited. Someone could for example modify a checksum thus enabeling tampered dependencies to pass a verify check later.
The github action would only trigger when the pom.xml was changed. If someone makes a PR where the lockfile.json is changed but the pom stays the same. The maven-lockfile github action would not trigger and a faulty lockfile might accidentally get commited. Someone could for example modify a checksum thus enabeling tampered dependencies to pass a verify check later.
Se #881