search

makew0rld / dither

A fast, correct image dithering library in Go.
Mozilla Public License 2.0
365 stars 13 forks source link

Add dependabot check for GitHub action workflows #16

Closed deining closed 7 months ago

deining commented 7 months ago

This PR add dependabot check for GitHub action workflows to get pull requests for workflow action updates automatically. For security reasons, it also pins GitHub actions by commit-hash rather than by version. This way of addressing actions plays nicely with dependabot.

makew0rld commented 7 months ago

Thanks for submitting, but I don't think I'm interested in this PR. GitHub's official actions repos being taken over is not part of my threat model. It also doesn't seem like much a security issue due to their not being any secrets involved in the workflow.

I can't find a link for it now, but I believe there was recently an security issue where not using a major tag would cause issues, because you wouldn't get the automatic security update.

The Dependabot automatic PRs also seem unnecessary due to low commit volume in this repo.

deining commented 7 months ago

Thanks for the detailed explanation, I fully respect your decision!