Open thepwagner opened 2 months ago
Sorry that this request went unanswered for such a long time, it simply fell through cracks during the summer holidays!
I think this makes sense, but I feel there might be an option needed to select between the behaviours.
Thanks for filing the issue!
Please describe the enhancement
Given a reference like
actions/checkout@v3
.I'd prefer the pinned version to be:
actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
instead ofactions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
This difference makes the result (including the comment) compatible with Dependabot. Dependabot will update the commit of
actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
, but leave the comment atv3
.This should only be done when multiple tags reference the same commit.
Solution Proposal
When pinning, list all tags in the repository. When a commit to be pinned can be resolved to multiple tags, choose the "most specific" tag.
Describe alternatives you've considered
We could wrap frizbee, or use a linter to discourage using major version tags.
This could be
WONTFIX
, treated as a bug in Dependabot: https://github.com/dependabot/dependabot-core/issues/8011 . (I have not confirmed how RenovateBot handles this case).Additional context
No response
Acceptance Criteria
actions/checkout@v3
.actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7