jdaugherty commented on PR #69: URL: https://github.com/apache/grails-github-actions/pull/69#issuecomment-4156705444
> I think by going from `vX` to `vX.0.0` we downgrade the github actions as `vX` is a moving target auto-updating to the latest release of that major version. We just need to rely on dependabot to update them more often. But yes, this is an intentional change in the direction for security. Otherwise if an action or image is compromised, we immediately become compromised. This is what happened with the Trivy incident and also why the ASF now recommends hash only tags. As for the version mismatches, I tried to take the latest approved tag for the versions. I'll make a pass at removing the comments and updating to newer if necessary. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
