Enable expanding granularity from major version to patch version

[l0b0]

Is there an existing issue for this?

• [X] I have searched the existing issues

Feature description

It's a common practice to declare the use of actions using just the major version, as in - uses: actions/checkout@v3. If I understand correctly, this means that it will use version 3 exactly, and will not use future patch or minor versions of the same action. This is good for reproducibility (basically, things should be locked in place and not move randomly outside of users' control), but really bad in terms of making sure the pipeline always uses the latest version. I can't seem to find any way to configure Dependabot to automatically update something like actions/checkout@v3 to actions/checkout@v3.0.1 when that version is available, without first manually changing the entry to actions/checkout@v3.0.0.

[deivid-rodriguez]

Hello!

Yes, Dependabot cannot do that, and I don't think it does that for any ecosystem at the moment. Right now, basically, you choose your own style and then Dependabot will respect it when upgrading your dependencies. But it can't help you setting/enforcing a style.

By the way, yes v3 uses the v3 tag exactly. However, it's a convention for GitHub Actions that v3 will be a rolling tag that always points to the latest v3.x.y tag. So for most actions, it's actually the opposite: bad for reproducibility, but good for making sure you're using the latest version. I think that's pretty confusing but it's how it is now.

[l0b0]

By the way, yes v3 uses the v3 tag exactly. However, it's a convention for GitHub Actions that v3 will be a rolling tag that always points to the latest v3.x.y tag. So for most actions, it's actually the opposite: bad for reproducibility, but good for making sure you're using the latest version. I think that's pretty confusing but it's how it is now.

So people break the universal convention of tags being fixed in the name of convenience? :cry:

[deivid-rodriguez]

Yes, I don't love it either. You can also use branches though, see the official recommendation.

It'd be nice if actions management didn't require actions' author to keep a moving tag or branch so that major version references work. Ideally actions would do some sane resolution if a tag does not exist, like proposed here: https://github.com/orgs/community/discussions/9847.

But it is what it is now!

[l0b0]

IMO the ideal solution would be the one used by pre-commit autoupdate --freeze - set the value to the commit ID of the latest tag, and add a comment with the tag name.

[deivid-rodriguez]

Yeah, that's a pretty common style. I think it became popular since openssf scorecard recommended it.

Dependabot fully supports that. You do have to pin your actions manually one time, but then Dependabot will keep them up to date (and also the comments).