Nested quarto action in `setup-r-dependencies@v2` breaks workflow in restricted Organization setup

[solmos]

Is your feature request related to a problem? Please describe.
My GitHub Organization only allows to use specific minor release versions (vX.X.X) of untrusted third-party actions, and they consider that quarto-dev/quarto-actions/setup falls under this category (r-lib actions do not). Thus the nested quarto-dev/quarto-actions/setup@v2 action in setup-r-dependencies@v2.10.0 introduced in 67f8747 causes all workflows to fail due to the version used for the quarto action. This occurs even if we set install-quarto: false, since the workflow will first check if all the actions required by a given action can be downloaded.

Describe the solution you'd like
If this dependency in quarto-dev/quarto-actions/setup is desirable, a solution would be to include an input parameter in r-lib/actions/setup-r-dependencies for specifying the version of the quarto action.

Describe alternatives you've considered
We could use setup-r-dependencies@v2.9.0 but we would be stuck with an outdated action forever.

[gaborcsardi]

My GitHub Organization only allows to use specific minor release versions (vX.X.X) of untrusted third-party actions,

That is a pretty weird policy, considering, that these tags are merely labels, that can be changed later, whether they are minor release versions or not.

But I guess we can use a minor version of that action, no problem.

a solution would be to include an input parameter in r-lib/actions/setup-r-dependencies for specifying the version of the quarto action.

I am fairly sure that you cannot parameterize action versions. The action versions of a workflow run are resolved up front, before any parameters are considered.

[github-actions]

This issue has been automatically locked. If you believe you have found a related problem, please file a new issue and include a link to this issue