Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

actions: expand to the most specific semver tag #184

Open
thepwagner opened this issue Jul 23, 2024 · 3 comments
Open

actions: expand to the most specific semver tag #184

thepwagner opened this issue Jul 23, 2024 · 3 comments
Labels
enhancement New feature or request

Comments

@thepwagner
Copy link

thepwagner commented Jul 23, 2024

Please describe the enhancement

Given a reference like actions/checkout@v3.

I'd prefer the pinned version to be: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 instead of actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3

This difference makes the result (including the comment) compatible with Dependabot. Dependabot will update the commit of actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3, but leave the comment at v3.

This should only be done when multiple tags reference the same commit.

Solution Proposal

When pinning, list all tags in the repository.
When a commit to be pinned can be resolved to multiple tags, choose the "most specific" tag.

Describe alternatives you've considered

We could wrap frizbee, or use a linter to discourage using major version tags.

This could be WONTFIX, treated as a bug in Dependabot: dependabot/dependabot-core#8011 . (I have not confirmed how RenovateBot handles this case).

Additional context

No response

Acceptance Criteria

  1. Have a repository using actions/checkout@v3.
  2. Run frizbee to pin the actions in the repository.
  3. Enable Dependabot for GitHub Actions: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
  4. Receive a clean pull request upgrading to the latest pinned version (at the time of writing): actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
@jhrozek
Copy link
Contributor

jhrozek commented Sep 20, 2024

Sorry that this request went unanswered for such a long time, it simply fell through cracks during the summer holidays!

I think this makes sense, but I feel there might be an option needed to select between the behaviours.

Thanks for filing the issue!

@jhrozek jhrozek added the enhancement New feature or request label Sep 20, 2024
@blkt
Copy link
Contributor

blkt commented Oct 29, 2024

Hey @thepwagner I just wanted to check if this is still relevant.
My guess is that listing all tags in the repository might be expensive, but I might be wrong.

Would you mind opening a PR to address this issue?

@xopham
Copy link

xopham commented Dec 9, 2024

I second @thepwagner in their request! Pinning by digest is super critical but only if you do not loose information and updating is simple which in this case means full semver tag versions and dependabot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

4 participants