Skip to content

ci: pin danger action to full-length commit SHA #4753

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 19, 2025
Merged

ci: pin danger action to full-length commit SHA #4753

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/danger.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,4 @@ jobs:
danger:
runs-on: ubuntu-latest
steps:
- uses: getsentry/github-workflows/danger@v3
- uses: getsentry/github-workflows/danger@13be9bec4ec5cd67061b747972b996e9c80f4f3b # 3.1.0
Copy link

@sentry sentry bot Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The update to pin the danger action to a specific commit SHA (13be9bec4ec5cd67061b747972b996e9c80f4f3b) is a good practice for enhancing security and reproducibility. This ensures that the workflow always runs with the exact same action code, preventing unexpected changes from upstream updates to the @v3 tag.

However, this approach also means that any future bug fixes or security patches released by the getsentry/github-workflows/danger action maintainers (within the 3.x series) will not be automatically applied. These updates will require a manual change to the SHA in this workflow.

Given the inline comment # 3.1.0, it suggests an intent to use version 3.1.0. If the primary goal is to track this specific minor version and automatically receive patch updates, consider using @v3.1.0 instead of the full SHA. This offers a balance between stability and ease of maintenance. If absolute immutability is the highest priority, then the current SHA pinning is appropriate, but be mindful of the need for manual updates for any patches.
Severity: MEDIUM

🤖 Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/danger.yml#L11

Potential issue: The update to pin the `danger` action to a specific commit SHA
(`13be9bec4ec5cd67061b747972b996e9c80f4f3b`) is a good practice for enhancing security
and reproducibility. This ensures that the workflow always runs with the exact same
action code, preventing unexpected changes from upstream updates to the `@v3` tag.

However, this approach also means that any future bug fixes or security patches released
by the `getsentry/github-workflows/danger` action maintainers (within the `3.x` series)
will not be automatically applied. These updates will require a manual change to the SHA
in this workflow.

Given the inline comment `# 3.1.0`, it suggests an intent to use version 3.1.0. If the
primary goal is to track this specific minor version and automatically receive patch
updates, consider using `@v3.1.0` instead of the full SHA. This offers a balance between
stability and ease of maintenance. If absolute immutability is the highest priority,
then the current SHA pinning is appropriate, but be mindful of the need for manual
updates for any patches.

Did we get this right? 👍 / 👎 to inform future reviews.
Reference_id: 2803320

Copy link
Member Author

@Flash0ver Flash0ver Nov 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dependabot is automatically updating GitHub actions.
See e.g. #4715.
It's also updating the version-comment appropriately.

Loading