### Description Lock GitHub Actions dependencies to specific version SHAs for security and predictability. Doing so is a best practice as we then know exactly which version of a given dependency is being used. Without locking to SHAs, Actions will simply use whatever latest version is available for the given specified version, usually a major such as "v4", leading to "silent bumps" at the GitHub Action runtime level.
Locking to SHAs will also allow us to receive patch and minor level dependency upgrade PRs as opposed to, in most cases, just bumps for major versions. ### How has this been tested? CI and Danger runs will prove if these changes are proper or not as they only affect GitHub Actions. For reference here are the GitHub Actions dependencies releases so we can check the SHAs. - https://github.com/actions/checkout/releases/tag/v5.0.0 (https://github.com/actions/checkout/commit/08c6903cd8c0fde910a37f88322edcfb5dd907a8) - https://github.com/ruby/setup-ruby/releases/tag/v1.255.0 (https://github.com/ruby/setup-ruby/commit/829114fc20da43a41d27359103ec7a63020954d4) - https://github.com/actions/setup-node/releases/tag/v4.4.0 (https://github.com/actions/setup-node/commit/49933ea5288caeca8642d1e84afbd3f7d6820020) - https://github.com/actions/upload-artifact/releases/tag/v4.6.2 (https://github.com/actions/upload-artifact/commit/ea165f8d65b6e75b540449e92b4886f43607fa02) - https://github.com/coverallsapp/github-action/releases/tag/v2.3.6 (https://github.com/coverallsapp/github-action/commit/648a8eb78e6d50909eff900e4ec85cab4524a45b) You can view, comment on, or merge this pull request online at: https://github.com/openstreetmap/openstreetmap-website/pull/6332 -- Commit Summary -- * Lock GitHub Actions dependencies to SHAs for security and predictability -- File Changes -- M .github/workflows/danger.yml (4) M .github/workflows/docker.yml (2) M .github/workflows/lint.yml (24) M .github/workflows/tests.yml (12) -- Patch Links -- https://github.com/openstreetmap/openstreetmap-website/pull/6332.patch https://github.com/openstreetmap/openstreetmap-website/pull/6332.diff -- Reply to this email directly or view it on GitHub: https://github.com/openstreetmap/openstreetmap-website/pull/6332 You are receiving this because you are subscribed to this thread. Message ID: <openstreetmap/openstreetmap-website/pull/6...@github.com>
_______________________________________________ rails-dev mailing list rails-dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/rails-dev
