Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

actions: accept shortref hashes #2942

Merged
merged 2 commits into from
Jan 5, 2021
Merged

actions: accept shortref hashes #2942

merged 2 commits into from
Jan 5, 2021

Conversation

thepwagner
Copy link
Contributor

When dependabot updates an Actions workflow file, it prefers to replace versions with full length commit SHAs.
This is a great practice, reinforced by Actions's best practices.

This has an unfortunate side effect when the Action is already pinned to the short version of the SHA: Dependabot will propose an "upgrade" to the full SHA.
That's is a good idea from a security standpoint, but not an expected feature of Dependabot. Customers only expect PRs for dependency updates.

This PR adjusts the Actions comparison so that short refs are considered equal to full refs when considering upgrades.
That means customers will be upgraded (to full SHAs) as new releases become available, but Dependabot won't open a PR that only replaces a short ref with the expanded full ref.

@thepwagner thepwagner self-assigned this Jan 4, 2021
@thepwagner thepwagner requested a review from a team as a code owner January 4, 2021 14:44
Copy link
Contributor

@feelepxyz feelepxyz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a minor nit comment, LGTM otherwise 👍

@feelepxyz feelepxyz merged commit d336e54 into main Jan 5, 2021
@feelepxyz feelepxyz deleted the actions-shortref branch January 5, 2021 11:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants