build(deps): bump golangci/golangci-lint-action from 774c35bcccffb734694af9e921f12f57d882ef74 to 9937fdf7189f2958a2dc9f6d585e5d65e3326d20 #3769
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 774c35bcccffb734694af9e921f12f57d882ef74 to 9937fdf7189f2958a2dc9f6d585e5d65e3326d20. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@774c35b...9937fdf) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
dependencies
dependabot
bot
deleted the
dependabot/github_actions/golangci/golangci-lint-action-9937fdf7189f2958a2dc9f6d585e5d65e3326d20
branch
| @@ -51,7 +51,7 @@ jobs: | |||
| go-version: ${{ env.GO_VERSION }} | |||
| check-latest: true | |||
| - name: golangci-lint | |||
| uses: golangci/golangci-lint-action@774c35bcccffb734694af9e921f12f57d882ef74 # v6.1.1 | |||
| uses: golangci/golangci-lint-action@9937fdf7189f2958a2dc9f6d585e5d65e3326d20 # v6.1.1 | |||
There was a problem hiding this comment.
yeah you're right 6.1.1 was released On Oct. 2. Both 774c35... and 9937fd... are from main branch.
@apostasie can you explain a bit more the benefit of using sha directly instead of tag (either 6.x.x/6.x/6)? Seems now dependabot will always upgrade to the latest main commit if sha is used.
There was a problem hiding this comment.
This was brought up here: #3739 (comment)
The reasoning was to tighten security and align with the rest of the ecosystem (containerd / lima).
Looking now at containerd: containerd/containerd@045ab3c - it does seem like dependabot is acting as expected.
Maybe the initial commit sha here was mistakenly from master?
There was a problem hiding this comment.
Just looked at commit history. I probably fat fingered the sha copy paste and used a commit from master instead of from the release tag.
Should be / should have been 971e284b6050e8a5849b72094c50ab08da042db8
There was a problem hiding this comment.
Let's try this and see what dependabot is doing.
Bumps golangci/golangci-lint-action from 774c35bcccffb734694af9e921f12f57d882ef74 to 9937fdf7189f2958a2dc9f6d585e5d65e3326d20.
Commits
9937fdfbuild(deps): bump@types/nodefrom 22.10.1 to 22.10.2 in the dependencies gro...cb60b26build(deps-dev): bump the dev-dependencies group with 2 updates (#1136)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)