[Core feature request] Pinning action versions to commit hashes updateable by bots #1691
Labels
enhancement
New feature or request
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What feature do you need?
By default, when using a binding provided by the bindings server, we refer by the major or full version. It can be a branch or a tag. While major version tags/branches change and it's expected, full versions shouldn't. However, technically nothing stops the action owner to hard-reset some full version branch/tag to point to a different commit, and no one will notice it.
That's why, as a part of security hardening, some workflow owners use full SHA-1 of commits they want to use for each action. It guarantees the action's code won't silently change.
Users of github-workflows-kt can already do it using
_customVersionconstructor argument:However, dependency updating bots cannot update such commit hashes.
In theory we could try allowing such format when specifying a dependency on an action:
@file:DependsOn("actions:checkout:b4ffde65f46336ab88eb53be808477a3936bae11")but then, even if we make this commit hash be updated to the right value, there's no mechanism to keep the full version in the comment, like shown in the below example.
Do you have an example usage?
Is there a workaround for not having this feature? If yes, please describe it.
No way to make the dependency updating bots work, just specifying the commit hash as version.
The text was updated successfully, but these errors were encountered: