diff --git a/README.md b/README.md index a861086e..ba172b5e 100644 --- a/README.md +++ b/README.md @@ -78,7 +78,7 @@ build out the the custom handling needed. For example: ```yaml - name: Coverage comment id: coverage_comment - uses: py-cov-action/python-coverage-comment-action@v3 + uses: py-cov-action/python-coverage-comment-action@sha1 # vx.y.z with: GITHUB_TOKEN: ${{ github.token }} activity: "${{ github.event_name == 'push' && 'save_coverage_data_files' || 'process_pr' }}" @@ -154,7 +154,7 @@ jobs: # existing comments when direct publication is allowed. contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@sha1 # vx.y.z - name: Install everything, run the tests, produce the .coverage file run: make test # This is the part where you put your own test command @@ -166,7 +166,7 @@ jobs: GITHUB_TOKEN: ${{ github.token }} - name: Store Pull Request comment to be posted - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@sha1 # vx.y.z if: steps.coverage_comment.outputs.COMMENT_FILE_WRITTEN == 'true' with: # If you use a different name, update COMMENT_ARTIFACT_NAME accordingly @@ -243,7 +243,7 @@ jobs: # comments (to avoid publishing multiple comments in the same PR) contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@sha1 # vx.y.z with: # This is optional since by default it's to true. The git # operations in python-coverage-comment-action utilize the token @@ -288,7 +288,7 @@ jobs: # comments (to avoid publishing multiple comments in the same PR) contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@sha1 # vx.y.z with: # This is optional since by default it's to true. The git # operations in python-coverage-comment-action utilize the token @@ -335,7 +335,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@sha1 # vx.y.z with: # This is optional since by default it's to true. The git # operations in python-coverage-comment-action utilize the token @@ -344,7 +344,7 @@ jobs: - name: Set up Python id: setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@sha1 # vx.y.z with: python-version: ${{ matrix.python_version }} @@ -358,7 +358,7 @@ jobs: # this prefix is not used. - name: Store coverage file - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@sha1 # vx.y.z with: name: coverage-${{ matrix.python_version }} path: .coverage.${{ matrix.python_version }} @@ -377,14 +377,14 @@ jobs: pull-requests: write contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@sha1 # vx.y.z with: # This is optional since by default it's to true. The git # operations in python-coverage-comment-action utilize the token # stored by actions/checkout. persist-credentials: true - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@sha1 # vx.y.z id: download with: pattern: coverage-* @@ -398,7 +398,7 @@ jobs: MERGE_COVERAGE_FILES: true - name: Store Pull Request comment to be posted - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@sha1 # vx.y.z if: steps.coverage_comment.outputs.COMMENT_FILE_WRITTEN == 'true' with: name: python-coverage-comment-action @@ -642,7 +642,7 @@ jobs: pull-requests: write contents: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@sha1 # vx.y.z - name: Test project 1 run: make -C project_1 test @@ -667,7 +667,7 @@ jobs: GITHUB_TOKEN: ${{ github.token }} - name: Store Pull Request comment to be posted - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@sha1 # vx.y.z if: steps.coverage_comment_1.outputs.COMMENT_FILE_WRITTEN == 'true' || steps.coverage_comment_2.outputs.COMMENT_FILE_WRITTEN == 'true' with: name: python-coverage-comment-action @@ -716,13 +716,12 @@ jobs: ## Pinning -On the examples above, the version was set to the tag `v3`. Pinning to a major version -will give you the latest release on this version. (Note that we release every time after -a PR is merged). Pinning to a specific version (`v3.1` for example) would make the -action more reproducible, though you'd have to update it regularly (e.g. using -Dependabot). You can also pin a commit hash if you want to be 100% sure of what you run, -given that tags are mutable. Finally, You can also decide to pin to main, if you're OK -with the action maybe breaking when (if) we release a v4. +We used to rewrite tags following the GitHub practices (and provide `@v3`, `@v3.1`, etc.). +The new accepted good practice is release immutability, so that's what we do. +Using standard tools like [Zizmor](https://docs.zizmor.sh/) or +[Pinact](https://github.com/suzuki-shunsuke/pinact), you're expected to pin to a +given commit sha, and use a comment to indicate the corresponding exact version. +This is format is understood and followed by dependabot/renovate. ## Note on the state of this action