New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated the documentation on Github Actions to ensure pinned dependencies are kept updated. #874

Closed

andyloughran wants to merge 1 commit into main from dependabot/updates-to-pinned

Contributor

andyloughran commented Feb 9, 2024

Dependabot has the capability to keep Github Actions updated, even when pinned to a specific commitsha rather than tag.

There are many formats that are allowed, but I've only provided a single example in the docs: https://github.com/dependabot/dependabot-core/blob/b4112ce4639d7eed1e3b2e0792eb7533f7cb125f/github_actions/spec/fixtures/workflow_files/pinned_sources_version_comments.yml#L7-L30

There doesn't appear to be good end-user facing documentation produced for dependabot on this feature, just the discussions on two PRs:

Update version comments for SHA-pinned GitHub Actions dependabot/dependabot-core#5951 (where they added the capability to query comments in dependabot for github actions)
For actions that are pinned-by-hash, bump the human readable version number in the code comment dependabot/dependabot-core#4691 (to auto-update the comment if the commitsha is updated)

Thanks to @huwd for the headsup on this one.


          Provided updated documentation for pinned Github Actions to align wit…

e010380

…h the managing dependencies standards

Contributor Author

andyloughran commented Feb 9, 2024

Closed in favour of #868

andyloughran closed this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet