-
-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Explicit set minor and patch version on used actions #4833
Conversation
Smoke tests fails due to an upstream issue |
CodeQl does not seem to use |
Are the minors and patches not rolled into the v3 action? I've never seen an example workflow use the full version number... |
@PromoFaux I don't think so, when you go to any action page and click on "Use latest version", you get a yaml code suggestion like |
👀 - and that's not even the latest version! |
Currently latest versions:
|
Just throwing this in here. Like Is said, I've never seen any docs point to using an exact version before - upstream actions owners should be moving the It just feels like Dependabot will be opening unnecessary PRs at with this change. Taking the actions/checkout repo as an example:
|
I see this is an issue with |
To support my statement from above: currently, we have two issues with actions, |
You might just have convinced me. I notice you have set everything to |
b138075
to
3f05b15
Compare
Signed-off-by: Christian König <ckoenig@posteo.de>
Signed-off-by: Christian König <ckoenig@posteo.de>
Signed-off-by: Christian König <ckoenig@posteo.de>
3f05b15
to
a3ac1ca
Compare
Needs re-approval after force-push to amend pgp signature. |
Allow updates for GH
actions
by dependabot also for minor and patch versions. So far, we only specify major versions in our workflows. Therefore, dependabot will only check if new major versions exist and won't update the workflow on new minor or patch versions.By explicitly setting minor and patch version we allow dependabot to update those as well.
E.g.
action/stale@v5
is currently missing theclose-issue-reason
. This was added inv5.1.0
. However, dependabot fails to recognize the update atm.P.S. I expect some dependabot PRs after this has been merged. I did not update the versions manually to get the dependabot changelog.
By submitting this pull request, I confirm the following:
git rebase
)