MNT: Use hash for Action workflow versions and update if needed #234
Conversation
|
@pllim do we need to do anything to configure dependabot to handle this format? |
|
No, I don't think so. @bsipocz can confirm if you need second opinion. Thanks! |
| with: | ||
| fetch-depth: 0 | ||
| lfs: true | ||
| submodules: ${{ inputs.submodules }} | ||
| - name: Install dependencies | ||
| if: ${{ inputs.libraries != '' }} | ||
| uses: ConorMacBride/install-package@main | ||
| uses: ConorMacBride/install-package@3e7ad059e07782ee54fa35f827df52aae0626f30 # v1.1.0 |
There was a problem hiding this comment.
This doesn't seem good to use a personal action in here.
There was a problem hiding this comment.
That is a separate issue:
There was a problem hiding this comment.
Well, that is still not nice, wasn't the whole point of using OpenAstronomy to eliminate single point of failures, yet it uses an action from personal repo under the hood.
|
Yeap, no changes are needed for dependabot, it handles the hashes well. (Though my preference is to have a grouped, monthly run) |
If Stuart wants that, I can also attach that change in this PR real quick. Just lemme know. |
|
Go for it! |
|
Done. Thanks, all! |
As recommended by https://scientific-python.org/specs/spec-0008/#pin-github-actions-release-workflows-to-their-full-release-commit-shas , this PR changes your Actions workflow version pins to hashes, and updates to latest release hashes (at the time of writing) if needed.
This is an automated update made by the
batchprtool 🤖 - feel free to close if it doesn't look good! You can report issues to @pllim.👻