Skip to content

Commit 6bd2b06

Browse files
ctcpipctcpip
committed
📝 strengthen dependabot recommendation
1 parent 6894d8e commit 6bd2b06

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

docs/adr/action-pinning.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,11 +42,11 @@ Instead:
4242

4343
- Use **semantic version tags** (e.g., `@v4`) by default.
4444
- Do **not use `@main` or other floating branch refs**.
45+
- Repositories should **enable Dependabot for GitHub Actions** and set `schedule/interval` to a reasonable value, such as `monthly`
4546
- For workflows that **access secrets, publish artifacts, or have privileged scopes**, repository maintainers **may** choose to pin to commit hashes **if justified**.
4647
- Where pinning is used:
4748
- A reviewer **must manually verify** the commit hash belongs to the correct source repository.
4849
- The verification step **must be noted in the PR review** to ensure accountability.
49-
- Repositories with **Dependabot enabled for GitHub Actions** are encouraged to rely on semantic versions and auto-patching.
5050

5151
## Consequences
5252

0 commit comments

Comments
 (0)