dannycjones commented on code in PR #2762:
URL: https://github.com/apache/iceberg-rust/pull/2762#discussion_r3522874915


##########
.github/workflows/asf-allowlist-check.yml:
##########
@@ -39,4 +39,4 @@ jobs:
     - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
       with:
         persist-credentials: false
-    - uses: 
apache/infrastructure-actions/allowlist-check@4e9c961f587f72b170874b6f5cd4ac15f7f26eb8
  # main
+    - uses: 
apache/infrastructure-actions/allowlist-check@5d6d53e66c7f6f831d4fd0c8fd1a610054ed8a26
  # main

Review Comment:
   I think we have three options:
   
   - Suppress the warning, meaning we won't get alerted when `main` moves ahead 
of the commit we have pinned. I'm worried though that Dependabot isn't able to 
track version updates for branches.
   - Suppress the warning, and track `main` directly dropping the pin. This is 
less secure but does mean we get updates. Again, I fear that Dependabot doesn't 
recognize when the action is updated.
   - Keep it as is, and use Zizmor as the mechanism to know when we need to 
update. This will block other PRs until the dependency is updated and the PRs 
are rebased.
   
   For suppression, I am suggesting a comment like this:
   
   ```yaml
   # zizmor: ignore[ref-version-mismatch]
   - uses: 
apache/infrastructure-actions/allowlist-check@4e9c961f587f72b170874b6f5cd4ac15f7f26eb8
  # main
   ```
   
   I don't have a strong opinion, other than that it would be ideal for that 
project to move the tag-based releases. (I've opened an issue to start that 
discussion: https://github.com/apache/infrastructure-actions/issues/1007.)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to