Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mantaining the version after the full length commit SHA is generated #1087

Closed
n-th opened this issue Aug 23, 2022 · 4 comments
Closed

Mantaining the version after the full length commit SHA is generated #1087

n-th opened this issue Aug 23, 2022 · 4 comments

Comments

@n-th
Copy link

n-th commented Aug 23, 2022

I would like to make a suggestion. Could we maintain the version of the commit SHA as a comment after the workflow is processed?

I mean something like this:

jobs:
  integration-test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v1
jobs:
  integration-test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 #v1.x.x

I think it would help us keep track of the human-readable version of the tools we are using.
@varunsh-coder
Copy link
Member

Thanks @n-th for creating the issue!

We did add such a comment earlier. Then a user suggested that we should remove the comment, because when dependabot updates the Action, it does not update the comment. So the comment does not remain in sync with the commit SHA.
Here is the issue: #569

Renovatebot does have an option to specify tag in comment and it uses that tag to update the commit SHA. So, we could do this if the project uses renovatebot.

In addition, if you want this feature either when dependabot is used, or there is no update tool configured, we can do that and expose it as a configurable option. So, by default, it will not add a comment. But you can set a configuration (exposed as a checkbox in the UI) to add the comment. Please let me know your preference...

@varunsh-coder varunsh-coder mentioned this issue Sep 12, 2022
Closed
@ericcornelissen
Copy link
Contributor

@varunsh-coder given the lack of support for updating the comment by certain dependency management tooling, I think exposing an option to include/exclude it makes sense 👍

If this will be supported, I'd advocate for including some information on which dependency management tooling does/doesn't support it so it's easier for the user to decide what's right for them.

  • Pin actions to a full length commit SHA

    • Include tag name in comment

      Use this option only if your dependency management tooling supports it.

      Supports it Doesn't support it
      RenovateBot Dependabot

@varunsh-coder
Copy link
Member

Thanks @ericcornelissen for the comment. Yes, I think this sort of config makes sense. I think we will need to explicitly ask/check what dependency management tool is being used, since RenovateBot has its own particular format. We can also auto-detect this in some cases.

@lucacome lucacome mentioned this issue Oct 7, 2022
Closed
@jkremser jkremser mentioned this issue Oct 19, 2022
Merged
@lucacome lucacome mentioned this issue Nov 2, 2022
Closed
@tellison tellison mentioned this issue Nov 3, 2022
Open
@varunsh-coder
Copy link
Member

Closing this and #1360 as this has been implemented. Feel free to re-open if something is missing. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ericcornelissen @varunsh-coder @n-th