alt Hacker NewsFrom what I see, this does not help with pinning the dependencies and it doesn’t verify the downloaded action has the same content as it used to have. In other words, this is a tiny patch on a big wound.
We use commit hashes to pin actions, have the version as a comment (e.g # v4) and renovate will keep both up to date in the PRs.
And there is a more or less recently added repository setting to require actions to be pinned to hashes.
Replies
g947o • yesterday at 11:30 AM
How does this lock down transitive dependencies? Is it effective if the action you rely on doesn't pin its dependencies?
➕ show 1 reply
This is the way to do it.
Pin by hash.
Verify that the actions themselves aren't pulling in unpinned dependencies from Actions, NPM, or elsewhere.
Have a CI job or bot create PRs for new versions. Verify those PRs before merging.
If any particular action becomes a recurring chore or risk, consider if you should keep depending on it.
If you do these things, the "we need a package manager" is moot and most if not all of the concerns in that blog post don't affect you.