search

slimtoolkit / slim

Slim(toolkit): Don't change anything in your container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
Apache License 2.0
19.21k stars 716 forks source link

Pin Actions workflow versions for deterministic execution. Configure Dependabot to keep workflows up to date. #464

Closed cthach closed 1 year ago

cthach commented 1 year ago

Signed-off-by: Chris Thach 12981621+cthach@users.noreply.github.com

What

  1. Pins all GitHub Actions reusable workflow versions to the latest compatible semantic version.
  2. Configures Dependabot to submit PRs when a reusable workflow is updated.

Why

By pinning to a specific workflow version, we prevent workflow breakage or unexpected behavior when workflow owners publish updates.

Dependabot can be configured to handle the chore of updating workflow versions when new ones are published.

How Tested

Searching for when a reusable workflow is used and manually verifying the tag in the upstream repository.

$ grep --fixed-strings 'uses:' --no-filename --recursive .github/workflows | awk '{ print $NF }' | sort --unique

actions/cache@v3.2.4
actions/checkout@v2.6.0
actions/checkout@v3.3.0
actions/download-artifact@v3.0.2
actions/setup-go@v3.5.0
actions/setup-java@v2.5.0
actions/setup-node@v2.5.1
actions/setup-python@v2.3.2
actions/upload-artifact@v3.1.2
Codesee-io/codesee-detect-languages-action@v1
Codesee-io/codesee-map-action@v1
ruby/setup-ruby@v1.134.0
kcq commented 1 year ago

thank you @cthach !