Missing `lib` build products

[jtbandes]

We used to pin this workflow by SHA, e.g.

- uses: mislav/bump-homebrew-formula-action@b3327118b2153c82da63fd9cbf58942146ee99f0

This pinning technique is recommended in https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

However, eventually as we bumped the version to latest main (with the help of Dependabot), we started encountering this error:

Error: File not found: '/home/runner/work/_actions/mislav/bump-homebrew-formula-action/868bf7871f81dda58cc50fe1d17ea83ae1f3f929/./lib/index.js'

It seems like this is because lib is not committed to the repo. It is present in the v3 branch, but not on main. Would it be possible to keep this present and up to date? This seems to be what other actions do, e.g.: https://github.com/actions/checkout/tree/main/dist

[mislav]

Hi, sorry for late reply, but you discovered already that this project only commits lib products in the v3 branch (and any past and future v* versioned branch), so if you need to pin to a certain commit SHA, you can use the commit from the v3 branch and not from main.

My rationale is that main is where the development happens and I don't think it's prudent to commit generated files in a development branch, even if other Actions repositories commonly do that. I personally think that various Actions projects commit too much and too often into the main branch, so I try to avoid that.

[jtbandes]

Thanks for the reply. It’s been a while since I looked at this, but iirc dependabot does not know which branch to use when bumping a sha-based dependency. So if the build products are not committed on main, dependabot will always try to bump to a broken version of the dependency :(

[jtbandes]

Example bump PR from dependabot: https://github.com/foxglove/mcap/pull/1140

(Also, in this particular case we've stopped using this action since Homebrew upstream is auto-bumping the formula for us)

[mislav]

It’s been a while since I looked at this, but iirc dependabot does not know which branch to use when bumping a sha-based dependency.

Ah that's unfortunate. I can see how it's a big problem if you pin to a valid SHA from the v3 branch but later Dependabot suggests "upgrading" to the latest SHA of the main branch, essentially breaking the action setup.

I'm not sure exactly how Dependabot approaches upgrading pinned Actions, but I seem to recall that there is a syntax in the comments such as:

- uses: mislav/bump-homebrew-formula-action@b3327118b2153c82da63fd9cbf58942146ee99f0 # v3.1

Now, in theory, Dependabot should understand that you've pinned to a tagged release, and will only try to upgrade to other tagged releases. (Tagged releases in this repository are guaranteed to have build products checked in.)

I understand that you're not using this Action anymore, but this could help other people in the meantime. For the sake of ease of using Dependabot, I will consider checking in build products to main in the future, since I believe security is important and pinning Actions seems to be more widespread practice.

[jtbandes]

I do see that versions in comments will be parsed & updated (https://github.blog/changelog/2022-10-31-dependabot-now-updates-comments-in-github-actions-workflows-referencing-action-versions/ / https://github.com/dependabot/dependabot-core/pull/5951). I'm not sure if this will actually impact which branch it uses to choose the new SHA, or if it's just updating the comment to match whatever SHA it chooses...

[jtbandes]

I guess another approach could be to change the default branch to v3, assuming dependabot might be using the default branch.