Add action version comments in GitHub workflow files
Marcono1234 opened this issue · comments
The GitHub workflow files of Guava currently refer to action versions by commit hash, for example:
guava/.github/workflows/ci.yml
Lines 69 to 70 in a6a34dc
While this is good from a security perspective, it makes it difficult at a glance to see which version number (such as "v1.2.3") of that action is used.
What do you think about adding version comments, such as # v1.2.3
, behind the commit hashes? It seems Dependabot will automatically update those comments.
Thanks, adding them should be fine. I dropped them when I switched to hashes because it was ever so slightly easier and because it's not as if there is a runtime check that verifies that the comment is actually accurate. Now, I don't think that the latter is a practical concern because the values are always generated by Dependabot, which we trust. On the other hand, probably nothing we do here is of great practical significance because... we trust Dependabot to update as as soon as a problem is identified (and/or for security advisories to recognize the vulnerable version by its hash, I hope, or at least I hope that it doesn't trust the comment!).