dirkdev98
commented
1 month ago Do tools like dependabot understand @workflow-name-v1.2 -> @workflow-name-v1.3 or do they try to bump to in between versions of other releases?
Doesn't seem like it: https://github.com/dependabot/dependabot-core/issues/8451 .
GitHub advises to use the SHA value for third-party actions, so that's what we should advise to our users in the meantime. It might get noisy tho when using dependabot, so you might want to instruct Dependabot to ignore these workflows for now. and manually check if an update is necessary.
Version bump tools currently try to bump to each commit on this repo. By tagging the workflows explicitly, we might be able to prevent that.
Some things to figure out:
@workflow-name-v1.2->@workflow-name-v1.3or do they try to bump to in between versions of other releases?