- Using the commit SHA of a released action version is the safest for stability ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		bramblerose 3 days ago \| parent \| context \| favorite \| on: GitHub Actions has a package manager, and it might... - Using the commit SHA of a released action version is the safest for stability and security. This is not true for stability in practice: the action often depends on a specific Node version (which may not be supported by the runner at some point) and/or a versioned API that becomes unsupported. I've had better luck with @main.

bloppe 3 days ago [–]

Depends what you mean by stability. The post is complaining about the lack of lockfiles, and the problem you describe would also be an issue with lockfiles.

Dylan16807 2 days ago | [–]

The underlying problem is that you can't keep using the same version, and one way it fails ruins the workaround for a different failure.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact