[openstreetmap/openstreetmap-website] Lock GitHub Actions dependencies to SHAs for security and predictability (PR #6332)
Nicholas La Roux
notifications at github.com
Mon Aug 18 15:56:54 UTC 2025
larouxn left a comment (openstreetmap/openstreetmap-website#6332)
> So basically the end result is more work for us to merge PRs for minor version changes?
For sure it will result in _more_ PRs but I don't think it would be a ton. Can certainly tune the Dependabot config if it turns out to be a large burden. For reference regarding update frequency per action:
- `actions/checkout` just had its first two releases (v4.3.0 and v5.0.0) since Oct 2024 (+9 months) last week ([releases](https://github.com/actions/checkout/releases))
- `ruby/setup-ruby` has had quite a few updates in the last couple months though mostly we can expect bumps every 2 months re: new Ruby versions being released ([Ruby release schedule noted](https://www.ruby-lang.org/en/news/2025/07/15/ruby-3-4-5-released/), [releases](https://github.com/ruby/setup-ruby/releases/))
- `actions/setup-node` hasn't had an update since April and before April not since March, then January, then last October ([releases](https://github.com/actions/setup-node/releases))
- `actions/upload-artifact` has only had 3 updates this year ([releases](https://github.com/actions/upload-artifact/releases))
- `coverallsapp/github-action` hasn't had any updates since January and before that last October ([releases](https://github.com/coverallsapp/github-action/releases))
Overall I think most won't result it much in terms of bumps other than `ruby/setup-ruby` which _could_ prove a bit burdensome. We could remove the SHA lock for that since it's typically one of the safer actions to silent bump anyway since it usually just adds support for new Rubies.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/6332#issuecomment-3197501995
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/pull/6332/c3197501995 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20250818/773f3f73/attachment-0001.htm>
More information about the rails-dev
mailing list