Update and pin GitHub Actions + pre-commit hooks#2744
Update and pin GitHub Actions + pre-commit hooks#2744agriyakhetarpal wants to merge 3 commits intopypa:mainfrom
Conversation
|
I'm not a huge fan of fully pinned GHA's. Since the runner images can't be pinned, things change under you anyway. So pinning has negatives:
The positives:
I'd argue the negatives outweigh the positives for the official actions most of the time. I'd go with fully pinned for a) less-trustworthy/used actions, b) critical parts of a workflow like the release part, and/or c) for really critical packages. I'm against this, but I'm also not for it. |
I agree, pins are not the best solution. However, in my understanding, they are the only way by which I can enable "Require actions to be pinned to a full-length commit SHA" to my downstream repositories where I use cibuildwheel. It's a shame that GitHub stopped working on github/roadmap#1103. Your stance is similar to that of other projects in PyPA-land, and is also coupled with your experience maintaining cibuildwheel throughout its history, so I don't have sound reasons to disagree with it. I can change this to pin a few selected workflows. In particular:
|
See #2742 (comment)