Bump GitHub Actions to avoid node warnings #82
Conversation
I also used `@vN`-style pins instead of the specific commits. A few of these have crossed from v3 to v4 for example, generally for node16 -> node20 errors.
|
I'm ok with that, thanks for asking! To be honest, I have mixed feelings about them. Pros, from a practical point of view: Perfectly fine. Pinning only the major version strikes a nice balance between "avoiding breaking changes of major updates" but still "make it simple to keep up to date". I did the same for the devcontainer image version. Cons, from a security/ software supply chain point of view, it would be better to pin the exact commit hash and do a quick check when upgrading. E.g., to check if the github action or library is still actively maintained? I propose, as a rule of thumb: if we can blindly trust the author (e.g., for the official docker python image, that may be reasonable) then we can use these relaxed vX tags. Otherwise it is better to pin the specific commit. |
I also used
@vN-style pins instead of the specific commits. A few of these have crossed from v3 to v4 for example, generally for node16 -> node20 errors.When I ran the pipeline manually under the "Actions" tab, I saw failures because of deprecated
nodeversions. E.g., https://github.com/johannesjh/req2flatpak/actions/runs/9828146035Note sure why these don't fail on normal CI runs, maybe I just never noticed the warnings (I'm still getting used to have GitHub Actions differs from GitLab CI).
More importantly, @johannesjh: are you ok with using these
@v5pins? I think its a good balance between keeping things pinned but allow patch/minor releases.