Provide dynamic version tags about action HOT 8 CLOSED

didn't notice this: DEPRECATED this action is in maintenance-only mode and will not be accepting new features.

from action.

also a dupe of #79 -- also github is moving away from dynamic version tags for actions (especially for their security implications)

from action.

@asottile if someone wanted to introduce security issue they could always overwrite full tag name e.g. v2.0.2 anyway.
You would actually need to recommend using hashes to patch that.

Can you share a link to support this?

also github is moving away from dynamic version tags for actions (especially for their security implications)

from action.

• https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions
• https://docs.github.com/en/code-security/supply-chain-security/keeping-your-actions-up-to-date-with-dependabot

from action.

Thanks.

Pin actions to a full length commit SHA
Pin actions to a tag only if you trust the creator

As I expected. Regular and dynamic tags are just as secure. Might as well have one.

from action.

Agree with @lukasz-mitka that using a tag like @v3.0.1 is not more secure than a tag like @v3, "because a tag can be moved or deleted if a bad actor gains access to the repository storing the action", as GitHub explains.

GitHub is not "moving away" from tags like @v3. They simply provide guidance on how to be more secure by using SHAs, at https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

As for the Dependabot link, it's about keeping actions up-to-date. Right now, I get close to 100 dependabot PRs whenever there's a new major version of a common action (like actions/checkout). With pre-commit/action, I get one every time there's a new patch version. If every action did things like pre-commit/action, dependabot would be unmanageable. Having refs like @v3 means my actions are automatically up-to-date until there's a major version – this is good for security.

from action.

Anyway, will you be merging the main branch into the release branch (which can be used as a ref – it just doesn't have the benefit of helping users guard against breaking changes, like a well-managed v3 would) ?

from action.

the release branch is legacy (v2 and earlier)

from action.