Skip to content

Bump GitHub action workflows #230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hirasso merged 2 commits into from
Jan 5, 2026
Merged

Bump GitHub action workflows #230

hirasso merged 2 commits into from
Jan 5, 2026

Conversation

@deining
Copy link
Contributor

@deining deining commented Jan 4, 2026

This PR bumps GitHub action workflows to their latest versions.

@hirasso
Copy link
Member

hirasso commented Jan 5, 2026

What is the motivation for this PR? Is something broken?

@deining
Copy link
Contributor Author

deining commented Jan 5, 2026

Is something broken?

No.

What is the motivation for this PR?

This PR is meant as mere maintenance measure:

https://github.blog/security/supply-chain-security/do-you-know-if-all-your-repositories-have-up-to-date-dependencies/

Keeping your repositories’ dependencies up to date is crucial for maintaining quality and security.
Outdated dependencies can expose your project to vulnerabilities, compromise its stability,
and hinder its overall performance.

@hirasso
Copy link
Member

hirasso commented Jan 5, 2026

Thank you @deining for making us think about this matter more thoroughly.

I'm actually unsure what has more trade-offs: Always keeping dependencies at the latest bleeding version – or the opposite: be even more strict then we are now and pin workflow dependencies to specific commits:

https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash
https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide

I tend towards the latter – update slowly. Without any update, supply chain attacks become much less likely. I would prefer to only update to latest versions if something is broken in the functionality.

@daun what do you think about this?

@daun
Copy link
Member

daun commented Jan 5, 2026

I'm actually unsure what has more trade-offs

Given that it's an open-source project and there are no company secrets or proprietary algorithms in the repo, I'd opt in favor of upgrading here. Whether we do or not, GitHub will deprecate runner and node versions at some point, and then we'll have to upgrade anyway. I prefer incremental updates whenever we feel like it (or somebody is helpful enough to send a PR our way) over urgent ones when things break.

Between our current setup (@3) and an upgrade (@6), there's no difference in security — both are vulnerable to supply chain attacks by someone publishing a patch version to this particular major version. So I'm fine with upgrading.

Without any update, supply chain attacks become much less likely

True, and in the above scenario of a private repo I would agree about the solution of pinning commits. That said, it sounds like a lot of work I don't see us maintainers doing across all repos, and the benefit of all that work is limited for an open-source org.

How do you feel about a compromise? — pinning third-party actions to exact tags (@4.3.1), but keeping the official GitHub actions at major versions (@6). I would expect no supply chain attacks from GitHub, which limits the work to a few particular third-party actions around testing and reporting.

@hirasso
Copy link
Member

hirasso commented Jan 5, 2026

Ah, that sounds like a good middle ground, thank you @daun !

@hirasso hirasso merged commit 27c807a into swup:main Jan 5, 2026
1 check passed
@hirasso
Copy link
Member

hirasso commented Jan 5, 2026

Thank you @deining!

@deining deining deleted the bump-workflows branch January 5, 2026 15:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hirasso hirasso hirasso approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@deining @hirasso @daun