Hacker News new | ask | show | jobs
by arionmiles 54 days ago
I feel pretty happy we use Renovator (EDIT: It's Renovate) at my current workplace which by default will raise PRs to change any tags for actions with the SHA instead. Then, even when it bumps the version in future PRs, it bumps the SHA (with a comment of which tag version it represents)
4 comments
jamietanna 54 days ago
Glad to hear you're enjoying Renovate - I'm biased, but I agree that the SHA pinning PR updates are a very nice feature

We recently found (in Renovate) some edge cases with how tags work in GitHub Actions which was fun (https://news.ycombinator.com/item?id=47892740) and there's a few things in there Dependabot doesn't seem to support too

link
mmarian 54 days ago
If you auto merge those PRs you're back to square 1 as you're not vetting your dependency updates. And if you don't, you incur operational overhead unless you put in a fair amount of effort centralizing. Wrote a couple of posts that touched on this https://developerwithacat.com/blog/202604/github-actions-sup...
link
arionmiles 53 days ago
Valid point. We have minimum age requirements set on some rules to avoid absorbing every latest change instantly.
link
mmarian 53 days ago
How would that solve the problem though? You're still bringing compromises in, just with a delay. And the fixes will come in after the compromise, in accordance with the delay policy.

To make matters worse, you'd lose getting alerts on vulnerabilities. Dependabot won't send them, and neither will Renovate last time I checked.

link
jamietanna 49 days ago
Both Renovate and Dependabot will raise PRs for a security fix, regardless of minimumReleaseAge/cooldown config
link
mmarian 49 days ago
Are you saying that Dependabot/Renovate...

- raises PRs for security fixes immediately, regardless of cooldown configs

- flags the PRs as security fixes

- does the above when actions are pinned by commit SHA

? If so, mind sharing some documentation and examples please? I don't mind being proven wrong, but I genuinely couldn't find anything that demonstrates this happens. Dependabot docs actually point to the contrary (see my blog posts).

link
pabs3 53 days ago
How many people actually audit the code changes in their dependencies when updating them?
link
mmarian 53 days ago
Few, if any. Which is why I'm highlighting that you can't just use commit SHA + Renovate then call it a day.
link
captn3m0 52 days ago
A new problem is that even pinned actions themselves download unpinned transitive dependencies, such as the case with trivy action.

Zizmor recently shipped a rule to warn of such actions, but it only does it for two known actions so far.

link
tecleandor 54 days ago
Is it Renovator or Renovate? I'm trying to find it to check it out...
link
arionmiles 54 days ago
Oops, my bad. We keep calling it Renovator internally but the name is RenovateBot or Renovate.

https://docs.renovatebot.com/

link
tecleandor 54 days ago
Thanks! I'll take a look :)
link