Closed jtbandes closed 2 weeks ago
Hi, sorry for late reply, but you discovered already that this project only commits lib
products in the v3
branch (and any past and future v*
versioned branch), so if you need to pin to a certain commit SHA, you can use the commit from the v3
branch and not from main
.
My rationale is that main
is where the development happens and I don't think it's prudent to commit generated files in a development branch, even if other Actions repositories commonly do that. I personally think that various Actions projects commit too much and too often into the main branch, so I try to avoid that.
Thanks for the reply. It’s been a while since I looked at this, but iirc dependabot does not know which branch to use when bumping a sha-based dependency. So if the build products are not committed on main, dependabot will always try to bump to a broken version of the dependency :(
Example bump PR from dependabot: https://github.com/foxglove/mcap/pull/1140
(Also, in this particular case we've stopped using this action since Homebrew upstream is auto-bumping the formula for us)
It’s been a while since I looked at this, but iirc dependabot does not know which branch to use when bumping a sha-based dependency.
Ah that's unfortunate. I can see how it's a big problem if you pin to a valid SHA from the v3
branch but later Dependabot suggests "upgrading" to the latest SHA of the main branch, essentially breaking the action setup.
I'm not sure exactly how Dependabot approaches upgrading pinned Actions, but I seem to recall that there is a syntax in the comments such as:
- uses: mislav/bump-homebrew-formula-action@b3327118b2153c82da63fd9cbf58942146ee99f0 # v3.1
Now, in theory, Dependabot should understand that you've pinned to a tagged release, and will only try to upgrade to other tagged releases. (Tagged releases in this repository are guaranteed to have build products checked in.)
I understand that you're not using this Action anymore, but this could help other people in the meantime. For the sake of ease of using Dependabot, I will consider checking in build products to main
in the future, since I believe security is important and pinning Actions seems to be more widespread practice.
I do see that versions in comments will be parsed & updated (https://github.blog/changelog/2022-10-31-dependabot-now-updates-comments-in-github-actions-workflows-referencing-action-versions/ / https://github.com/dependabot/dependabot-core/pull/5951). I'm not sure if this will actually impact which branch it uses to choose the new SHA, or if it's just updating the comment to match whatever SHA it chooses...
I guess another approach could be to change the default branch to v3, assuming dependabot might be using the default branch.
We used to pin this workflow by SHA, e.g.
This pinning technique is recommended in https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
However, eventually as we bumped the version to latest main (with the help of Dependabot), we started encountering this error:
It seems like this is because
lib
is not committed to the repo. It is present in thev3
branch, but not onmain
. Would it be possible to keep this present and up to date? This seems to be what other actions do, e.g.: https://github.com/actions/checkout/tree/main/dist