-
Notifications
You must be signed in to change notification settings - Fork 3
Pin all versions #39
Copy link
Copy link
Open
Labels
dependenciesPull requests that update a dependency filePull requests that update a dependency filegithub_actionsPull requests that update GitHub Actions codePull requests that update GitHub Actions codegoPull requests that update go codePull requests that update go code
Description
Metadata
Metadata
Assignees
Labels
dependenciesPull requests that update a dependency filePull requests that update a dependency filegithub_actionsPull requests that update GitHub Actions codePull requests that update GitHub Actions codegoPull requests that update go codePull requests that update go code
Type
Fields
Give feedbackNo fields configured for Feature.
Describe the solution you'd like
To improve supply chain security, we should pin all the versions we use in our dependencies, both github-action and Go.
Ideally the dependencies should specify the sha, but if it is not possible without degrading the experience too much then specifying the build number is an acceptable tradeoff.