The example megalinter workflow should use sha pinned actions #3057
Labels
bug
Something isn't working
Comments
daltonv
changed the title
|
Kics is very chatty and kind of slow... for example I disabled it on own MegaLinter repo ;) MegaLinter is a tool, but its users own the strategy to use it... I agree that pinning a sha on Github Actions is a good practice, but it's less readable, and I prefer MegaLinter to remain as simple as possible for newbies ^^ So users are free to update versions to shas, but I prefer not to enforce it in default workflows :) |
|
Fair enough. Good to understand the philosophy behind it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently the example mega-linter.yml does not pin third part actions to shas
For example
Instead of
Since megalinter now includes v1.78 of the kics linter (as of megalinter v7.4.0)
and kics treats unpinned third-party actions as failures, megalinter should play by its own rules and tell users to pin to shas.
This advice even comes from github's own documentation
The text was updated successfully, but these errors were encountered: