[openstreetmap/openstreetmap-website] Lock GitHub Actions dependencies to SHAs for security and predictability (PR #6332)

Tom Hughes notifications at github.com
Tue Aug 19 08:50:05 UTC 2025


tomhughes left a comment (openstreetmap/openstreetmap-website#6332)

I understand the logic of pinning, but when dependabot opens a PR to update the pin to a new version how am I supposed to evaluate if that is a genuine version or a bugged/infected/malicious version?

Without that it just becomes me manually doing what happens automatically now...

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/6332#issuecomment-3199834448
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/pull/6332/c3199834448 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20250819/fc954a11/attachment.htm>


More information about the rails-dev mailing list