Closed artis3n closed 2 years ago
I'm not sure I understand the goal here. Dependabot is something antithetical to Ratchet's goals. Dependabot says "give me all the latest software versions" and Ratchet says "keep me pinned to this specific version which I have audited and reviewed".
Using Dependabot with Ratchet only protects you in a very narrow security scenario: in which a malicious actor has permissions to overwrite an existing tag but not permissions to create a new tag. It's my understanding that GitHub's model makes this relatively impossible; in fact, it's much easier to protect existing tags with tag protection rules than it is to prevent the creation of new tags.
To summarize: I don't think dependabot is a good idea for GitHub Actions if you care about security. Therefore I'm not in favor of showcasing this use case. I hope you understand, and please let me know if you have any questions.
I don't necessarily agree with the line of reasoning but totally understand that's not what you want ratchet supporting. No problem!
TL;DR
Include an example on the README under the CI/CD workflows section of a plug-and-playable workflow to enable ratchet updates to run when Dependabot creates a PR to bump the version of something in an Actions workflow file.
Detailed design
I'm going to spend more time on it later, but following the general process from https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#common-dependabot-automations, I have the workflow file below. My goal is to have a job such that when Dependabot opens a PR due to a new release of any of the Actions I'm referencing in any of my workflows,
ratchet
will run to update the pinned comment and the workflow will commit that change to the Dependabot PR.Here's what I started with:
Additional information
I'll tinker again with this in a couple weeks and get a workflow going but figured I'd throw this out in the meantime.