larouxn left a comment (openstreetmap/openstreetmap-website#6332)
Like I said, it's highly unlikely anything actually malicious will occur since
1. all the actions in use are official ones and 2. the actions are only used
for CI and PR utility. The inspiration behind this is that it's a best practice
for security and predictability.
> how am I supposed to evaluate if that is a genuine version or a
> bugged/infected/malicious version?
When a Dependabot PR appears one can read the README and if desired can click
in and see the diff between the previous tag/commit and new tag/commit. This
change at least allows us a chance to actually see what's changing in the
GitHub Actions dependencies we use. Without it the underlying dependencies are
just changing (excluding major version bumps) whenever a new version is
released without any review.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/6332#issuecomment-3201851458
You are receiving this because you are subscribed to this thread.
Message ID:
<openstreetmap/openstreetmap-website/pull/6332/c3201851...@github.com>
_______________________________________________
rails-dev mailing list
rails-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/rails-dev
