[Feedback] Unclear value proposition for hash-pinning dependencies and keeping them up-to-date with dependency update tools

[pnacht]

I've recently been trying to get projects to hash-pin their dependencies and keep them up-to-date with dependabot or renovatebot. I've had mixed results, with many projects questioning the value of such a change.

See here a few of the discussions I've had on this topic. They are all solid discussions with valuable maintainer feedback. I recommend reading them in order since they refer to each other.

• [FR] Hash-pin GitHub workflow Actions pypa/setuptools#4025
• Hash-pin GitHub Actions to increase workflow resiliency  python/cpython#109110
• Hash-pin GitHub Actions, add dependabot to keep them up-to-date WebAssembly/wabt#2291
• Pinned gha keras-team/keras-core#877

[github-actions]

This issue is stale because it has been open for 60 days with no activity.

[github-actions]

This issue has been marked stale because it has been open for 60 days with no activity.