search

cloudsmith-io / action

Github Action that uses the cloudsmith cli to interact with the Cloudsmith API (pushes, etc)
https://github.com/marketplace/actions/cloudsmith-push
MIT License
14 stars 12 forks source link

Provide guidance for consuming the action using a fixed reference #41

Open samkearney opened 8 months ago

samkearney commented 8 months ago

Hello,

As mentioned in the GitHub documentation, best practice for consuming third-party actions is to use a fixed reference such as a tag or SHA. The current README documentation shows this action being consumed @master, which is not ideal from a stability perspective.

I would request one of the following:

(a) Implement release management using tags as described in the GitHub docs linked above. Since it seems like this action is rarely updated, this could be as simple as adding a v1 and v1.0.0 tags pointing at the latest commit on master. Then update the README documentation to show the action being consumed using cloudsmith-io/action@v1 instead of cloudsmith-io/action@master.

(b) Update the README documentation to show consumption via a SHA, e.g. cloudsmith-io/action@04d1b7d955cd82529987396158a17fae4faa4d54

Thanks for considering.

nickxn commented 2 weeks ago

Thanks for the suggestion @samkearney ! I'll feed it back to our engineering team to consider the update.