OneCricketeer
commented
2 months ago Can Dependabot handle upgrades with hashes?
Open nabuskey opened 5 months ago
OneCricketeer
commented
2 months ago Can Dependabot handle upgrades with hashes?
Currently we use mixed github action version resolution methods: tags and commit:
Tag: https://github.com/cnoe-io/idpbuilder/blob/a4d68833a5e501db461628745ff5a6a7de5363e0/.github/workflows/codespell.yaml#L20
SHA: https://github.com/cnoe-io/idpbuilder/blob/a4d68833a5e501db461628745ff5a6a7de5363e0/.github/workflows/release.yaml#L14
We should decide on which one we want to use. Hash is safer because, in case of compromises in GH action repos, we should have much reduced chance of running compromised versions. This comes with maintenance overhead because we now have to update actions versions. What do you think we should do? I think we should use hash for security reasons but I certainly do not want to deal with chores that come with it.