| ▲ | arionmiles 2 days ago | |||||||||||||||||||||||||||||||
I feel pretty happy we use Renovator (EDIT: It's Renovate) at my current workplace which by default will raise PRs to change any tags for actions with the SHA instead. Then, even when it bumps the version in future PRs, it bumps the SHA (with a comment of which tag version it represents) | ||||||||||||||||||||||||||||||||
| ▲ | jamietanna 2 days ago | parent | next [-] | |||||||||||||||||||||||||||||||
Glad to hear you're enjoying Renovate - I'm biased, but I agree that the SHA pinning PR updates are a very nice feature We recently found (in Renovate) some edge cases with how tags work in GitHub Actions which was fun (https://news.ycombinator.com/item?id=47892740) and there's a few things in there Dependabot doesn't seem to support too | ||||||||||||||||||||||||||||||||
| ▲ | mmarian 2 days ago | parent | prev | next [-] | |||||||||||||||||||||||||||||||
If you auto merge those PRs you're back to square 1 as you're not vetting your dependency updates. And if you don't, you incur operational overhead unless you put in a fair amount of effort centralizing. Wrote a couple of posts that touched on this https://developerwithacat.com/blog/202604/github-actions-sup... | ||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||
| ▲ | tecleandor 2 days ago | parent | prev [-] | |||||||||||||||||||||||||||||||
Is it Renovator or Renovate? I'm trying to find it to check it out... | ||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||