You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While this is good from a security perspective, it makes it difficult at a glance to see which version number (such as "v1.2.3") of that action is used.
What do you think about adding version comments, such as # v1.2.3, behind the commit hashes? It seems Dependabot will automatically update those comments.
The text was updated successfully, but these errors were encountered:
Thanks, adding them should be fine. I dropped them when I switched to hashes because it was ever so slightly easier and because it's not as if there is a runtime check that verifies that the comment is actually accurate. Now, I don't think that the latter is a practical concern because the values are always generated by Dependabot, which we trust. On the other hand, probably nothing we do here is of great practical significance because... we trust Dependabot to update as as soon as a problem is identified (and/or for security advisories to recognize the vulnerable version by its hash, I hope, or at least I hope that it doesn't trust the comment!).
The GitHub workflow files of Guava currently refer to action versions by commit hash, for example:
guava/.github/workflows/ci.yml
Lines 69 to 70 in a6a34dc
While this is good from a security perspective, it makes it difficult at a glance to see which version number (such as "v1.2.3") of that action is used.
What do you think about adding version comments, such as
# v1.2.3
, behind the commit hashes? It seems Dependabot will automatically update those comments.The text was updated successfully, but these errors were encountered: