Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use Dependabot to update GHAs, now supports SHAs
This is a bit of a test of Dependabot's support for managing SHA-based versions of GitHub Actions. In the original press release about Dependabot's support for GHAs, they say: > Dependabot creates pull requests that update the action to the latest released tag (e.g., v2), regardless of if you’re currently on a release tag, a pre-release tag, or a specific hash. github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/ But I think SHA-based updates were added as a part of: dependabot/dependabot-core#2835 I see examples where Dependabot apparently works with SHAs: https://github.com/systemd/systemd/pull/22638/files https://github.com/google/go-github/pull/2049/files And those projects are using config like is proposed here: https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5 https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15 As always, we should be careful about taking updates from third parties and review theses PRs to update GHAs carefully. Especially until submariner-io#1740 reduces the permissions of each job to the minimum required. Signed-off-by: Daniel Farrell <[email protected]>
- Loading branch information