CI: Hashpin sensitive actions and install dependabot

microsoft / tslib

Runtime library for TypeScript helpers.

BSD Zero Clause License

1.26k stars 130 forks source link

CI: Hashpin sensitive actions and install dependabot #226

Closed diogoteles08 closed 1 year ago

diogoteles08 commented 1 year ago

Closes #225

I've configured dependabot to work the same way as you requested in https://github.com/microsoft/TypeScript/pull/56211

jakebailey commented 1 year ago

Based on #227, this was missing some pipelines, it seems; oops.

diogoteles08 commented 1 year ago

Hi @jakebailey, not sure I understood what you meant on your last comment, can you clarify what was missing?

jakebailey commented 1 year ago

See https://github.com/microsoft/tslib/commit/095b6a0104d551f550a11385907cfa26b595ba35, this PR forgot CI.yml.

diogoteles08 commented 1 year ago

Oh I see. I left the CI.yml unpinned because it didn't access to any secrets or write permissions, so having it unpinned shouldn't bring any real security threat, and the flexibility of unpinned dependencies can be useful sometimes. But having all actions hash-pinned is not a problem at all 😄.