Renovate: bump action versions, migrate configuration#2274
Renovate: bump action versions, migrate configuration#2274pguyot wants to merge 8 commits intoatomvm:mainfrom
Conversation
|
I'm all for this, just wondering why we are not pinning exactly, which afaik is needed for supply chain safety, eg. - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: erlef/setup-beam@fc68ffb90438ef2936bbb3251622353b3dcb2f93 # v1.24.0this is what elixir-lang does https://github.com/elixir-lang/elixir/blob/main/.github/workflows/ci.yml - and I believe this is best practice. But we can always followup with this - https://docs.renovatebot.com/presets-helpers/#helperspingithubactiondigeststosemver - seems to be "helpers:pinGitHubActionDigestsToSemver" |
|
We should run https://zizmor.sh and slowly get compliance.. |
Signed-off-by: Paul Guyot <pguyot@kallisys.net>
bettio
left a comment
bettio
left a comment
There was a problem hiding this comment.
I think "STM32 Build / stm32 (stm32l562qei6) (pull_request)Failing after 2m" started to fail here.
This was fixed only on release-0.7 branch with #2268 |
4 participants
Also proceed to update most dependencies flagged by renovate bot.
STM32 updates are not included as they require some additional work.
These changes are made under both the "Apache 2.0" and the "GNU Lesser General
Public License 2.1 or later" license terms (dual license).
SPDX-License-Identifier: Apache-2.0 OR LGPL-2.1-or-later