GitHub Actions should be referenced by SHA not tag

[stevehipwell]

Just like how container images should be referenced by digest, GitHub actions should be referenced by SHA and not tag. Dependabot can handle this pattern including keeping the tag used next to the SHA as a comment.

jobs:
  test:
    steps:
      - name: Checkout
        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

[imjasonh]

I realize I'm pretty late to this, but I agree FWIW.

This repo doesn't do tagged releases, since it would be pretty disruptive to get dependabot updates for each action when only one action had a meaningful release. Having a bunch of single-action individually-tagged repos proliferate around also sounds pretty annoying, to be honest.

In the absence of releases, consumers should reference actions by SHA instead of @main. The issue now is clearly and concretely updating all the docs to encourage this, instead of @main as today.

[stevehipwell]

Having a bunch of single-action individually-tagged repos proliferate around also sounds pretty annoying, to be honest.

Isn't this the Unix philosophy and exactly what Dependabot is designed to handle? IMHO this would be significantly less complex than dealing with SHAs directly, especially to figure out if a subfolder action needed it reference changing.

My personal, and I thought widely acknowledged, opinion is that monorepos work where the tooling and integrations can be engineered as one. For repos hosting GitHub Actions this isn't the case (currently) and as such attempting to use a monorepo is going to be fighting against the system instead of working with it.

[xnox]

In the absence of releases, consumers should reference actions by SHA instead of @main. The issue now is clearly and concretely updating all the docs to encourage this, instead of @main as today.

this has inverse problem that dependabot does not know how to update such SHA of the branch. Could we at least make digestbot be able to update SHA of github actions branches?