CI: Hashpin sensitive actions and install dependabot

microsoft / tslib

Runtime library for TypeScript helpers.

BSD Zero Clause License

1.24k stars 124 forks source link

CI: Hashpin sensitive actions and install dependabot #226

Closed diogoteles08 closed 8 months ago

diogoteles08 commented 8 months ago

Closes #225

I've configured dependabot to work the same way as you requested in https://github.com/microsoft/TypeScript/pull/56211

jakebailey commented 8 months ago

Based on #227, this was missing some pipelines, it seems; oops.

diogoteles08 commented 8 months ago

Hi @jakebailey, not sure I understood what you meant on your last comment, can you clarify what was missing?

jakebailey commented 8 months ago

See https://github.com/microsoft/tslib/commit/095b6a0104d551f550a11385907cfa26b595ba35, this PR forgot CI.yml.

diogoteles08 commented 8 months ago

Oh I see. I left the CI.yml unpinned because it didn't access to any secrets or write permissions, so having it unpinned shouldn't bring any real security threat, and the flexibility of unpinned dependencies can be useful sometimes. But having all actions hash-pinned is not a problem at all 😄.