The main benefit of pinning GitHub actions is the determinism it brings
in terms of what version of a given action will be executed. This is
a step towards having hermetic builds.
Once pinned to a commit, dependabot will automatically issue PRs to update
to newer versions.
Pinned versions is the only security metric from OpenSSF scorecard that
this repository currently have a zero score.
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
This includes updating the version in the `manifests/crds` directory
for the component thas has a newer latest version.
Signed-off-by: Hidde Beydals <hello@hidde.co>
We noticed that some of our components had not received `go.mod` updates
while they did receive updates for the versions declared in the YAML
manifests.
Was able to trace this back to a behavior change in Go since `1.16.x`,
resulting in it no longer making automated changes to `go.mod` and
`go.sum`[1]. This is an issue for our updater script as it relies
on `go list -m all`, which now after the first `go mod edit` returns:
```console
$ go list -m all
go: github.com/fluxcd/notification-controller/api@v0.10.0: missing
go.sum entry; to add it:
go mod download github.com/fluxcd/notification-controller/api
```
To work around the issue without having to repeatedly call `go mod
tidy`, I have opted to simply `grep` on the contents of `go.mod` as a
workaround.
[1]: https://blog.golang.org/go116-module-changes#TOC_3.
Signed-off-by: Hidde Beydals <hello@hidde.co>
dependabot[bot]
Paulo Gomes
Stefan Prodan
Eddie Knight
Hidde Beydals
Aurel Canciu