Skip to content

Don't pin production dependencies to SHAs#81

Merged
jasonkarns merged 1 commit into
mainfrom
relax-deps
Jun 26, 2026
Merged

Don't pin production dependencies to SHAs#81
jasonkarns merged 1 commit into
mainfrom
relax-deps

Conversation

@jasonkarns

@jasonkarns jasonkarns commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

While sha-pinning is the most secure, this also limits consumers'
ability to have latest rubies available. (see #80)

We'll keep our devdeps pinned to shas, but relax our prod deps to major
versions. Leaving checkout action pinned because there shouldn't be any
reason that users need edge versions of the checkout action. (we'll
still need to keep it fresh with version bumps, but any lag in those
bumps is acceptable)

fixes #80

@madleech

Copy link
Copy Markdown

Tested, no warnings emitted. Works well. Thanks!

While sha-pinning is the most secure, this also limits consumers'
ability to have latest rubies available. (see #80)

We'll keep our devdeps pinned to shas, but relax our prod deps to major
versions. Leaving checkout action pinned because there shouldn't be any
reason that users need edge versions of the checkout action. (we'll
still need to keep it fresh with version bumps, but any lag in those
bumps is acceptable)
@jasonkarns jasonkarns merged commit ef3b8c6 into main Jun 26, 2026
8 checks passed
@jasonkarns jasonkarns deleted the relax-deps branch June 26, 2026 14:44
@jasonkarns

Copy link
Copy Markdown
Contributor Author

@madleech this has merged to main now which i believe you're already using? I do intend to cut a release soon, but just a head's up that if you're pointing to main, you should be good now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Locking setup-ruby action version prevents using newer Rubies

2 participants