Skip to content

build: Pin actions in GitHub Workflows #97

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 24, 2025
Merged

build: Pin actions in GitHub Workflows #97

merged 1 commit into from
Nov 24, 2025
+39 −39

Conversation

@ThomasVitale
Copy link
Contributor

@ThomasVitale ThomasVitale commented Nov 24, 2025
edited
Loading

Dependabot will update them automatically by also pinning the versions. This will be useful towards complying with the OpenSSF Best Practices

@ThomasVitale
build: Pin actions in GitHub Workflows
68ddea1 
Dependabot will update them automatically by also pinning the versions.
This will be useful towards compliying with the OpenSSF Best Practices

Signed-off-by: Thomas Vitale <[email protected]>
@edeandrea
Copy link
Contributor

edeandrea commented Nov 24, 2025

Won't this mean that there will be lots and lots more dependabot updates? In all the OSS projects I've worked on, I've never seen this done.

@github-actions
Copy link

github-actions bot commented Nov 24, 2025

TestsPassed ✅SkippedFailed
Gradle Test Results (all modules & JDKs)324 ran324 passed0 skipped0 failed
TestResult
No test annotations available

@github-actions
Copy link

github-actions bot commented Nov 24, 2025

HTML test reports are available as workflow artifacts (zipped HTML).

• Download: Artifacts for this run

@ThomasVitale
Copy link
Contributor Author

ThomasVitale commented Nov 24, 2025
edited
Loading

Yes, there will be more updates, but I can see that Dependabot is configured to automerge PRs if the checks succeed (is that correct?), so it shouldn't result in additional work.

Many projects that follow the OpenSSF security practices pin the dependencies, since it's one of the requirements:

Besides security, it protects us from pipelines failing randomly when new minor versions are introduced that might contain unfortunate breaking changes.

Though, I can see the main Docling project doesn't pin dependencies.

@edeandrea edeandrea merged commit b673b11 into main Nov 24, 2025
21 checks passed
@edeandrea edeandrea deleted the pin-github-actions branch November 24, 2025 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@edeandrea edeandrea edeandrea approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ThomasVitale @edeandrea