zanieb
commented
2 months ago Yes Dependabot supports bumping these versions https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
Closed markusgrotz closed 2 months ago
zanieb
commented
2 months ago Yes Dependabot supports bumping these versions https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
sinoroc
commented
2 months ago Yes Dependabot supports bumping these versions https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
Even for the files that are in non-regular locations (i.e. not in .github/workflows)?
webknjaz
commented
2 months ago Even for the files that are in non-regular locations (i.e. not in
.github/workflows)?
Not sure. However, I wouldn't want hashes or patch-level version bumps in the guide, which is why I kept the major-version refs in it.
They also need to be manually validated, since for example the upload+download actions of v4 have breaking changes. They probably don't affect the example workflow but would affect people with more complicated scenarios, having matrices of C-extensions.
Versions of actions/download-artifact before 4.1.7 are vulnerable to arbitrary file write when downloading and extracting a specifically crafted artifact that contains path traversal filenames.
Fore more details see: https://github.com/advisories/GHSA-6q32-hq47-5qq3
📚 Documentation preview 📚: https://python-packaging-user-guide--1596.org.readthedocs.build/en/1596/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/