potiuk commented on issue #15742: URL: https://github.com/apache/iceberg/issues/15742#issuecomment-4113744571
Using dependabot or renovate are required by the ASF Policy [1] same as pin hashing. You should use cooldown [2] with dependabot - this is the best way to use it. Yes. I very much recommend Zizmor - it will detect all kind of issues with GH actions (including lack of pin-hashing but also using dangerous workflows and unsafe usages of templating - and many more). Also dependabot will automatically upgrade such pin-hashed actions as of recently. You can also take a look at those infra docs: [1] https://infra.apache.org/github-actions-policy.html [2] https://infra.apache.org/dependabot.html#cooldown -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
