You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
bitset already hash-pins its GitHub Actions (done in #136), which is great. However, hashes are hard to update manually, so we could use dependabot to do this work automatically.
We can set up dependabot to send a single periodic PR to update all the hashes. This will help keep your CI up-to-date. If you'd rather keep the Actions fixed at these trusted versions, that's understandable.
In any case, I'll also suggest enabling Dependabot security updates (if you haven't already – that information isn't visible from outside). These are PRs sent by Dependabot whenever a vulnerability is reported on a dependency. This will ensure that, should a vulnerability be discovered in the hash-pinned version of an Action, bitset will immediately receive a PR to migrate to a patched version. To enable security updates:
bitset already hash-pins its GitHub Actions (done in #136), which is great. However, hashes are hard to update manually, so we could use dependabot to do this work automatically.
We can set up dependabot to send a single periodic PR to update all the hashes. This will help keep your CI up-to-date. If you'd rather keep the Actions fixed at these trusted versions, that's understandable.
In any case, I'll also suggest enabling Dependabot security updates (if you haven't already – that information isn't visible from outside). These are PRs sent by Dependabot whenever a vulnerability is reported on a dependency. This will ensure that, should a vulnerability be discovered in the hash-pinned version of an Action, bitset will immediately receive a PR to migrate to a patched version. To enable security updates:
In the meantime, I'll send a PR adding dependabot so you can take a look.
The text was updated successfully, but these errors were encountered: