Pinning to specific revision hashes is considered a best-practice when using third-party GitHub actions in workflows.
An undocumented feature was added to dependabot several years ago which makes it possible to have both commit hashes and human-readable comments containing a version/tag to be updated by dependabot.
i.e. Dependabot should be able to make updates like this automatically:
- - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
We should update all of our references to third-party GitHub actions to use specific commit hashes in this way.
Pinning to specific revision hashes is considered a best-practice when using third-party GitHub actions in workflows.
An undocumented feature was added to dependabot several years ago which makes it possible to have both commit hashes and human-readable comments containing a version/tag to be updated by dependabot.
i.e. Dependabot should be able to make updates like this automatically:
We should update all of our references to third-party GitHub actions to use specific commit hashes in this way.