For now, I've excluded dependencies from actions/ as these are "2nd party" actions, developed and published by GitHub. We have higher trust that GitHub published actions won't spuriously force push tag values, resulting in non deterministic runtime behavior.
If you'd like to pin all dependencies, let me know and I'll update this to include everything. This will result in a higher sustaining burden, as Dependabot (https://github.com/jetpack-io/devbox-install-action/pull/31) will generate many more updates for pinned actions/ actions.
wadells
commented
6 months ago
GitHub recommends pinning 3rd party actions for security and reproducibility. This should be a familiar idea for folks who've worked with Nix. 😄
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
For now, I've excluded dependencies from
actions/as these are "2nd party" actions, developed and published by GitHub. We have higher trust that GitHub published actions won't spuriously force push tag values, resulting in non deterministic runtime behavior.If you'd like to pin all dependencies, let me know and I'll update this to include everything. This will result in a higher sustaining burden, as Dependabot (https://github.com/jetpack-io/devbox-install-action/pull/31) will generate many more updates for pinned
actions/actions.