build(deps): bump DamianReeves/write-file-action from 41569a7dac64c252caacca7bceefe28b70b38db1 to 0a7fcbe1960c53fc08fe789fa4850d24885f4d84 #6995
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [DamianReeves/write-file-action](https://github.com/damianreeves/write-file-action) from 41569a7dac64c252caacca7bceefe28b70b38db1 to 0a7fcbe1960c53fc08fe789fa4850d24885f4d84. - [Release notes](https://github.com/damianreeves/write-file-action/releases) - [Commits](DamianReeves/write-file-action@41569a7...0a7fcbe) --- updated-dependencies: - dependency-name: DamianReeves/write-file-action dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
the
dependencies
|
@pbrezina Do you remember why we used a certain commit hash for this GH action? Can we instead switch to this? |
|
It is recommended to use hashes for external actions that you do not trust. If you use tag, it can be deleted and added again to different hash. So if someone re-tags it to malicious code, it will affect our workflow. But yes, we can use tag in this line since no secrets are available for this workflow (pull_request), we should not use it for pull_request_target. |
Okay makes sense, let's leave this PR as is and just bump the commit hash to follow recommended security practices. |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. You can also ignore all major, minor, or patch releases for a dependency by adding an If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
dependabot
bot
deleted the
dependabot/github_actions/DamianReeves/write-file-action-0a7fcbe1960c53fc08fe789fa4850d24885f4d84
branch
Bumps DamianReeves/write-file-action from 41569a7dac64c252caacca7bceefe28b70b38db1 to 0a7fcbe1960c53fc08fe789fa4850d24885f4d84.
Commits
0a7fcbeOverwritten by Github Actions - ${date}afb5d1dMerge 9fb3fde1cf18fb03705b93e687c5261dc6890b41 into 1d0220365f3fbb2899fcee385...9fb3fdeUpdate actions version564b11bUpdates1d02203Overwritten by Github Actions - ${date}2cb478bUpdate node versiona432935Overwritten by Github Actions - ${date}e139b94Merge ce03f9e984d26aefbb2b8796b661fd724440f4ad into fbc1a1ac95c85dbf087f0dd30...ce03f9eChange file created by testfbc1a1aOverwritten by Github Actions - ${date}Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)