schurzi
commented
5 months ago Hi @rdimitrov,
thank you for this contribution. We are already using renovate to manage our dependencies, so these changes would be overwritten by the next update (which would run after we merge this contribution). I think the right way forward for us is to configure renovate to use commit hashes.
Are there any additional benefits of your tool that I am missing? Currently I would be hesitant to introduce another tool to our project.
In any case many thanks for highlighting this issue and being proactive!
rdimitrov
Hey, 👋
The following PR pins actions to their commit hash.
Pinning images and actions to their commit hash ensures that the same version of the image or action is used every time the workflow runs. This is important for reproducibility and security and it is a security practice recommended by GitHub.
I did this using the frizbee CLI, but if you liked it and also want to keep this consistent there's a frizbee-action which you can use to automate this.
Thanks!