Description
Currently, we have a dependabot cooldown period of 3 days for Go Modules and GitHub Actions.
Historically, we've tried to SHA pin third-party actions but not first party (github, actions orgs). With a dependabot cooldown on 3 days, we can't pin to major version tags (and it's not clear we would want to) because when a new release comes out, dependabot will open PRs for the previous minor version.
Either we exclude first party actions from the dependabot cooldown, or we move forward on each patch release, in which case we might as well get the advantage of SHA pinning, rather than validating all the consumed actions have immutable releases turned on. It's also a more consistent approach.
Finally, if the dependabot toil becomes too large, we can have an action to auto merge when first party bumps come in. At least in this case, we wouldn't be any worse than today but have an additional 3 days to respond to any supply chain issues. We're also quite likely to hear of any security issues that need to be patched within 3 days for first party actions.
Description
Currently, we have a dependabot cooldown period of 3 days for Go Modules and GitHub Actions.
Historically, we've tried to SHA pin third-party actions but not first party (github, actions orgs). With a dependabot cooldown on 3 days, we can't pin to major version tags (and it's not clear we would want to) because when a new release comes out, dependabot will open PRs for the previous minor version.
Either we exclude first party actions from the dependabot cooldown, or we move forward on each patch release, in which case we might as well get the advantage of SHA pinning, rather than validating all the consumed actions have immutable releases turned on. It's also a more consistent approach.
Finally, if the dependabot toil becomes too large, we can have an action to auto merge when first party bumps come in. At least in this case, we wouldn't be any worse than today but have an additional 3 days to respond to any supply chain issues. We're also quite likely to hear of any security issues that need to be patched within 3 days for first party actions.