Closed dbelob closed 4 years ago
qcastel
commented
4 years ago @dbelob It's already versioned, I created tags in a regular basis:
https://github.com/qcastel/github-actions-maven-release/tags
The recent changes that are made were indeed braking the API, I therefore moved from 1.11.x to 1.12.x.
qcastel
commented
4 years ago Despite I do versioning, there is a security risk in the current design of the github actions. It is explained here: https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions
Pin actions to a full length commit SHA
I would recommend following this security recommendation if you are using github actions for producing artefact designed to be consumed on a production environment.
dbelob
commented
4 years ago Other actions have version number in name. For example, codecov/codecov-action@v1
The recent changes that are made were indeed braking the API, I therefore moved from 1.11.x to 1.12.x.
Could this somehow help me when an error appears in qcastel/github-actions-maven-release@master?
Was I able to switch to a previous working version?
qcastel
commented
4 years ago After the '@' is a commit reference. You can therefore use
qcastel/github-actions-maven-release@1.12.1
Was I able to switch to a previous working version?
Yes, you could have done that. You could have moved to qcastel/github-actions-maven-release@v1.11.2
but if you did, you wouldn't contribute to this github actions by bulletproofing the latest version. For that, I thank you.
dbelob
commented
4 years ago Yes, you could have done that. You could have moved to
qcastel/github-actions-maven-release@v1.11.2
Now I know about it, thanks.
but if you did, you wouldn't contribute to this github actions by bulletproofing the latest version. For that, I thank you.
If this situation occurs again, I will use the old version number temporarily and create an issue.
Please think about GitHub Sponsors :)
dbelob
commented
4 years ago The ability to specify versions exists (for example, qcastel/github-actions-maven-release@v1.11.2).
qcastel
commented
4 years ago You write wonderful useful applications. I suggest giving GitHub Sponsors a try. I am ready to sponsor your projects.
I never really knew or even thought about github sponsor. Thanks for the suggestion, I will give it a go out of curiosity of out this work!
qcastel
commented
4 years ago As a followup of this RFE, I extended the readme to highlight how versioning can we used on this github action: https://github.com/qcastel/github-actions-maven-release#choose-your-version-of-this-github-action
qcastel
commented
4 years ago @dbelob here you go, I am now in github sponsors program! :) https://github.com/sponsors/qcastel
dbelob
commented
4 years ago @dbelob here you go, I am now in github sponsors program! :) https://github.com/sponsors/qcastel
Already.
qcastel
commented
4 years ago Many thanks! Will use your contribution in my next project, will mention @ you the repo once it's live :)
Please consider adding versioning to your github-actions-maven-release action (and others too).
That is, instead of using
to use
for version 1,
for version 2 etc.
This practice will help to avoid the consequences of possible errors in the new version with significant changes in functionality. For example, on errors in version v2, I could temporarily continue to use v1 (see #14).
You write wonderful useful applications. I suggest giving GitHub Sponsors a try. I am ready to sponsor your projects.