You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'd prefer the pinned version to be: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 instead of actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
This difference makes the result (including the comment) compatible with Dependabot. Dependabot will update the commit of actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3, but leave the comment at v3.
This should only be done when multiple tags reference the same commit.
Solution Proposal
When pinning, list all tags in the repository.
When a commit to be pinned can be resolved to multiple tags, choose the "most specific" tag.
Describe alternatives you've considered
We could wrap frizbee, or use a linter to discourage using major version tags.
This could be WONTFIX, treated as a bug in Dependabot: dependabot/dependabot-core#8011 . (I have not confirmed how RenovateBot handles this case).
Receive a clean pull request upgrading to the latest pinned version (at the time of writing): actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
The text was updated successfully, but these errors were encountered:
Hey @thepwagner I just wanted to check if this is still relevant.
My guess is that listing all tags in the repository might be expensive, but I might be wrong.
Would you mind opening a PR to address this issue?
I second @thepwagner in their request! Pinning by digest is super critical but only if you do not loose information and updating is simple which in this case means full semver tag versions and dependabot.
Please describe the enhancement
Given a reference like
actions/checkout@v3
.I'd prefer the pinned version to be:
actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
instead ofactions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
This difference makes the result (including the comment) compatible with Dependabot. Dependabot will update the commit of
actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
, but leave the comment atv3
.This should only be done when multiple tags reference the same commit.
Solution Proposal
When pinning, list all tags in the repository.
When a commit to be pinned can be resolved to multiple tags, choose the "most specific" tag.
Describe alternatives you've considered
We could wrap frizbee, or use a linter to discourage using major version tags.
This could be
WONTFIX
, treated as a bug in Dependabot: dependabot/dependabot-core#8011 . (I have not confirmed how RenovateBot handles this case).Additional context
No response
Acceptance Criteria
actions/checkout@v3
.actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
The text was updated successfully, but these errors were encountered: