Hi,
Might it be an idea, for antq, to handle github action versions as hashes in addition to versions (as a switch, i.e., opt-in?). For example:
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Setup Cache
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
with:
path: |
~/.m2
~/.gitlibs
key: ${{ env.APPLICATION }}-${{ hashFiles('deps.edn') }}
restore-keys: ${{ env.APPLICATION }}-${{ hashFiles('deps.edn') }}
- name: Setup Java
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
distribution: 'temurin'
java-version: ${{ matrix.java }}
- name: Setup Clojure
uses: DeLaGuardo/setup-clojure@02f5a82b79a547523e664fe8a7a32ea14884d7b2 # master
with:
cli: 'latest'
Thus having the ability to pin github actions to specific versions (may help with supply chain attacks).
Arigato!
-=david=-
Hi,
Might it be an idea, for antq, to handle github action versions as hashes in addition to versions (as a switch, i.e., opt-in?). For example:
Thus having the ability to pin github actions to specific versions (may help with supply chain attacks).
Arigato!
-=david=-