Closed leouieda closed 6 months ago
I noticed that dependabot replaces the hashes from commits with tags. Do we want to allow it to do so for actions that use our tokens?
If so, maybe we should update those comments saying we are actually pinning the commit hashes, right?
Hey Santi, I thought it would be fine. The only one we actually use is the Cancel Workflow one, which honestly, we can probably get rid of. The others are official PyPI actions, official Codecov actions, and official GitHub actions, so it shouldn't be a problem.
Now that I think about it, the only reason commits would be safer is if we audited the action to know that the particular commit doesn't do anything dangerous. We don't do this so I think the risk is pretty much the same.
Would you agree to remove the Cancel workflow actions?
I see. I think cancelling workflows is a nice feature, so we avoid using resources unnecessarily, but we can live with that.
I haven't look too much into it, but I think there's a way to cancel previous workflows through GitHub Actions API, specifically configuring the concurrency
: https://www.meziantou.net/how-to-cancel-github-workflows-when-pushing-new-commits-on-a-branch.htm
I might need to research on that. But for now, feel free to remove it.
You can also do it manually. But yes, I think our development pace is slow enough that this isn't significant. I'll remove it here and elsewhere.
Done! Merging this in then.
The Actions we use have pinned versions and it's almost impossible to keep up with new releases of them. Add configuration for Dependabot to track the Actions versions and send pull requests when new versions are available. This only works if version numbers are pinned instead of the commit hashes. I think the benefit of being updated out weight any risk associated with this.