Similar to:
The GitHub Actions dependency versions should be pinned with the commit SHA, and a corresponding comment should be added inline to track the version, for example:
- uses: oracle-actions/setup-java@v1
+ uses: oracle-actions/setup-java@b1546e588c27008e88bfcabda44d11c22316b9b8 # v1.4.2
To aid the review, the pull request description should contain the URL pointing to the corresponding commit of each changed action, proving the SHA authenticity.
Additionally, the Dependabot configuration should be updated to group all GitHub Actions upgrades in a single group, and that group should have a weekly schedule.
Similar to:
The GitHub Actions dependency versions should be pinned with the commit SHA, and a corresponding comment should be added inline to track the version, for example:
To aid the review, the pull request description should contain the URL pointing to the corresponding commit of each changed action, proving the SHA authenticity.
Additionally, the Dependabot configuration should be updated to group all GitHub Actions upgrades in a single group, and that group should have a weekly schedule.