While semantic versions are convenient for Dependabot updates, they trigger GitHub security warnings because tags are mutable and can be reassigned.
To balance both security and maintainability, it would be helpful if the action supported immutable references (commit SHAs) while still allowing Dependabot to track semantic versions.
Problem
- Semantic version tags are mutable → potential supply chain risk.
- GitHub flags workflows referencing tags instead of SHAs.
- Using SHAs directly removes Dependabot’s ability to automatically update.
Proposed Solution
Enable immutable release in repository settings
Benefits
- Eliminates/Mitigates GitHub security warnings.
- Maintains Dependabot compatibility for automatic updates.
- Improves supply chain security by ensuring workflows always reference immutable code.
Additional Context
This change would align with GitHub’s best practices for action references and help users adopt conventional-pr without compromising on security or automation.
While semantic versions are convenient for Dependabot updates, they trigger GitHub security warnings because tags are mutable and can be reassigned.
To balance both security and maintainability, it would be helpful if the action supported immutable references (commit SHAs) while still allowing Dependabot to track semantic versions.
Problem
Proposed Solution
Enable immutable release in repository settings
Benefits
Additional Context
This change would align with GitHub’s best practices for action references and help users adopt conventional-pr without compromising on security or automation.