Hacker News new | ask | show | jobs
by klysm 455 days ago
How else should we do it?
1 comments
sunnybeetroot 455 days ago
By commit hash
link
bboreham 455 days ago
It seems to me that pinning to a sha was not sufficient; the Renovate bot was updating actions referenced by sha.

Example: https://github.com/chains-project/maven-lockfile/pull/1111/f...

This appears to be governed by the `pinGitHubActionDigests` helper configured in `renovate.json`.

link