fix: Use specific action versions #24
Conversation
Avoids quietly using whichever version is the latest starting with the specified version number, which could break at any time.
|
So if a security-related bugfix would be issued it would not be included. I think I'd prefer the latest non-breaking version that is safe and accept a broken dependency in rare cases, especially as the extensions are not always actively maintained and the updates of the dependencies would lead to a lot of friction. But maybe that's just me... |
|
The security issue is a bit of six of one and half dozen of the other. Running a specific version gives you a little time in case someone introduces a new security hole in a release and it's discovered before merging the Dependabot PR. That said, I'm not sure what kind of damage a security-related bug could even do in one of this project's included actions. |
|
Ping? |
1 similar comment
|
Ping? |
|
I don't work with STAC anymore, so I've unsubbed from this. Please @ me if you would like some further feedback. |
|
Solved by #26 |
GitHub Actions unfortunately runs the latest version of the actions which fits the
usesdirective version. So right nowactions/checkout@v3is equivalent toactions/[email protected], but this can change at any time. To avoid workflows suddenly failing in case a new minor/patch version of an action, this PR uses the most specific version number available for the checkout action.