Maintenance: bump old actions, add dependabot, fix macOS runners configuration #197
Conversation
conda-bot
added
the
cla-signed
.github/workflows/tests.yml
Outdated
| @@ -43,7 +43,7 @@ jobs: | |||
| python-version: "3.9" | |||
|
|
|||
| steps: | |||
| - uses: actions/checkout@v3 | |||
| - uses: actions/checkout@v4 | |||
There was a problem hiding this comment.
use commit hashes instead?
There was a problem hiding this comment.
We are adding dependabot here to handle that automatically.
There was a problem hiding this comment.
AFAIK dependabot will replace tags with tags and commits hashes with commits hashes, so the conversion isn't automatic
There was a problem hiding this comment.
Oh, really? That's unfortunate 😬 Let's see if there's a tool to automatically convert.
There was a problem hiding this comment.
Used https://github.com/mheap/pin-github-action and some post-processing. All pinned now.
There was a problem hiding this comment.
Do we want to add <major>.<minor>.<patch> version numbers to all of them to make it easier to see which version is used exactly?
There was a problem hiding this comment.
Ah, I see why now. Cool. Added!
There was a problem hiding this comment.
I'm more familiar with renovate than dependabot, but I have the following questions/suggestions:
- Many actions use only major version numbers. It would be more transparent to add minor and patch numbers, too. In renovate, this also results in better pull request descriptions.
- Will dependabot replace the version numbers with commit hashes eventually? This would result in better security: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
|
Description
Canaries are failing on macOS due to outdated actions. Fixing and preventing future errors.
Checklist - did you ...
newsdirectory (using the template) for the next release's release notes?