Aashish-Jha-11 commented on code in PR #1982:
URL: https://github.com/apache/sedona/pull/1982#discussion_r2160739358
##########
.github/workflows/r.yml:
##########
@@ -81,20 +81,20 @@ jobs:
sudo apt-get -y remove --purge default-jdk adoptopenjdk-11-hotspot
|| :
shell: bash
- uses: actions/checkout@v4
- - uses: r-lib/actions/[email protected]
+ - uses: r-lib/actions/setup-r@bd49c52ffe281809afa6f0fecbf37483c5dd0b93
Review Comment:
Thanks for pointing that out,
Yes, this is because [GitHub Actions security best
practices](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-pinned-actions)
recommend pinning to a full commit SHA instead of using version tags, which
are mutable.
I verified that bd49c52... is the current commit behind v2.11.3 at the time
of change, so this ensures reproducibility and avoids any tampering even if the
tag is moved in the future.
Let me know if you'd prefer using a different version or want it changed
back to tag-based reference. 😊
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
