- Notifications
You must be signed in to change notification settings - Fork455
Definepermissions in workflows and update actions#531
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Hello from actions/github-script! (e4e4c24) |
| @@ -3,7 +3,7 @@ description: 'Set up node and install dependencies' | |||
| runs: | |||
| using: 'composite' | |||
| steps: | |||
| - uses: actions/setup-node@v3 | |||
| - uses: actions/setup-node@v4 | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I noticed Dependabot missed this one. I can't recall if there was an issue with nested actions before, but did you want a PR to add the extra job?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Is that something we can configure with Dependabot or a feature gap?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I think I tried it before with a differentdirectory value, but I don't remember if there was an issuehttps://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot#enabling-dependabot-version-updates-for-actions.
I'll send something over, but don't hold this up on my part. I think you'll see it in the Insights>Dependancies tab after if it "works"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Opened#532
| @@ -17,4 +17,4 @@ jobs: | |||
| uses: actions/checkout@v4 | |||
| - name: Publish | |||
| id: publish | |||
| uses: actions/publish-immutable-action@0.0.3 | |||
| uses: actions/publish-immutable-action@0.0.4 | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
There is a typo in the current string that Dependabot fixed in its PR
| uses:actions/publish-immutable-action@0.0.4 | |
| uses:actions/publish-immutable-action@v0.0.4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
This is actually a feature of immutable actions, it will be available more broadly soon -github/roadmap#592
With semantic versioning of actions, thev is optional.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Interesting, just noticed because VSCode also complains about the missingv, since it tries to resolve a tag that doesn't exist (without thev)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Good catch! I'll pass that along to the team
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Hi
08caadd intomainUh oh!
There was an error while loading.Please reload this page.
I noticed that Dependabot triggered workflows were failing due to permissions not being defined (Dependabot defaults to read only permissions if none are defined) -#523
This PR defines
permissionsfor every workflow, updates action references, and removes the unused stale workflow which I disabled a long time ago.