Skip to content

Add semver to dependencies #5582

Closed
#5590
Closed
Add semver to dependencies#5582
#5590
Labels
good first issueGood for beginnershelp wantedFeatures that maintainers are willing to accept but do not have cycles to implement
@yurishkuro

Description

@yurishkuro
yurishkuro
opened on Jun 12, 2024

In the github workflows we try to use exact hashes for reproducible builds, but also indicate a semver in the comments which is understood by dependency bots. However, when we have only the hash, the bots can attempt to upgrade to the latest commit (example: #5573), which we don't want, we only want to upgrade to released versions.

We need to find workflows that either specify hash without the semver, or only version without a hash, and update them to action/name@hash # vX.Y.Z. Their respective repos can be used to find the matching hash / semver.

Metadata

Metadata

Assignees

No one assigned

    Labels

    good first issueGood for beginnershelp wantedFeatures that maintainers are willing to accept but do not have cycles to implement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions