-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build(deps): bump gradle-update/update-gradle-wrapper-action from 1 to 2 #17078
build(deps): bump gradle-update/update-gradle-wrapper-action from 1 to 2 #17078
Conversation
Bumps [gradle-update/update-gradle-wrapper-action](https://github.com/gradle-update/update-gradle-wrapper-action) from 1 to 2. - [Release notes](https://github.com/gradle-update/update-gradle-wrapper-action/releases) - [Changelog](https://github.com/gradle-update/update-gradle-wrapper-action/blob/main/CHANGELOG.md) - [Commits](gradle-update/update-gradle-wrapper-action@v1...v2) --- updated-dependencies: - dependency-name: gradle-update/update-gradle-wrapper-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
v2.0.0
? v2
is a separate tag
https://github.com/gradle-update/update-gradle-wrapper-action/tags
Changes look good:
https://github.com/gradle-update/update-gradle-wrapper-action/blob/main/CHANGELOG.md#v200
Added input parameter pr-title-template, by @paulschuberth
Added input parameter commit-message-template, by @paulschuberth
Added input parameter distributions-base-url, by @yeikel
Updated action to run with Node 20, by @chadlwilson
Updated action dependencies.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've published an action before and the tagging is annoying.
You want to tag on a specific release, but the way you specify actions normally in workflows is with a major-version only so that you get updates without having to process updates all the time.
So, what you do as an action maintainer is you maintain a major-version tag, and you tag every specific version, and with every release you slide/move the major-version tag to the new patch release. Which is kind of lame, but there you go
So this seems normal to me, for the way the github actions ecosystem works
From a security perspective: does this mean that we're not pinned to a specific version, and the action can be updated outside dependabot? |
Yes, the github action in use in any specific workflow run will be dereferenced from whatever the tag on the foreign repo is. If they slide the tag, then you get a new SHA under the tag and new software. Note, that if you specified specific tags (not a sliding semver-major tag) they could still move that tag in the repo. If you rely on a foreign repo, it can always move on you, unless you rely on a specific SHA I suppose. Which sounds...like a hassle in the "security vs usability" tradeoff. I'm inclined to trust this specific foreign repo is run well and won't cause some random thing to happen in our repo. And the tokens we allow in the workflows are constrained so they can't persist bad things if I understand correctly |
Bumps gradle-update/update-gradle-wrapper-action from 1 to 2.
Release notes
Sourced from gradle-update/update-gradle-wrapper-action's releases.
... (truncated)
Changelog
Sourced from gradle-update/update-gradle-wrapper-action's changelog.
Commits
9268373
Update changelog for v2.0.0 (#827)b1f73fd
Add distributions-base-url input to README.md (#829)7546413
action.yml: run on node20 (#828)e36e57a
Merge branch 'yeikel-custom/url'c5657a0
Merge branch 'custom/url' of github.com:yeikel/update-gradle-wrapper-action i...adc4884
Bump@actions/glob
from 0.4.0 to 0.5.0 (#826)e0054da
Bump eslint-plugin-import from 2.29.1 to 2.30.0 (#825)50f2699
Bump@actions/http-client
from 2.1.1 to 2.2.3 (#814)d0445b1
Bump typescript from 5.4.5 to 5.6.2 (#822)13be621
Customize commit messages (#679)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditions
will show all of the ignore conditions of the specified dependency@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)