Configure Dependendabot only to report semver releases for the github-actions ecosystem when using pinned hashes
#125481
Replies: 3 comments 2 replies
-
|
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
|
This is not stale. The current UX does not strike a good balance for staying up to date and secure at a manageable cadence. |
Beta Was this translation helpful? Give feedback.
-
|
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
|
This is still relevant. The current behaviour makes it difficult to implement good security practices. |
Beta Was this translation helpful? Give feedback.
-
|
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
Select Topic Area
Question
Body
I maintain a project that contains the following configuration:
The project uses https://github.com/marketplace/actions/amazon-ecr-login-action-for-github-actions in some of its GitHub Action workflows.
Unfortunately, Dependabot sends us a pull request every week due to mechanical pushes to
mainat: https://github.com/aws-actions/amazon-ecr-loginWe just want to receive a PR to our project when there is a tagged release for the action, and despite many attempts I have not been able to figure out how to do this. Everything in https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates implies that we should be getting PRs only for version releases, not individual commits to the dependency. For example, there is an option to ignore
"version-update:semver-patch"but not, say, "version-update:commit".I suspect this is because we actually pin the hash of the latest releases. That is, we specify
aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502rather thanws-actions/[email protected]as a good security practice for an extremely sensitive operation. But upgrading on every commit to that action would be a security liability, if anything.Is there a way to tell Depenabot only to send us PRs for semver updates, without lowering the security of our configuration?
Beta Was this translation helpful? Give feedback.
All reactions