dannycjones commented on code in PR #2762:
URL: https://github.com/apache/iceberg-rust/pull/2762#discussion_r3522874915
##########
.github/workflows/asf-allowlist-check.yml:
##########
@@ -39,4 +39,4 @@ jobs:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- - uses:
apache/infrastructure-actions/allowlist-check@4e9c961f587f72b170874b6f5cd4ac15f7f26eb8
# main
+ - uses:
apache/infrastructure-actions/allowlist-check@5d6d53e66c7f6f831d4fd0c8fd1a610054ed8a26
# main
Review Comment:
I think we have three options:
- Suppress the warning, meaning we won't get alerted when `main` moves ahead
of the commit we have pinned. I'm worried though that Dependabot isn't able to
track version updates for branches.
- Suppress the warning, and track `main` directly dropping the pin. This is
less secure but does mean we get updates. Again, I fear that Dependabot doesn't
recognize when the action is updated.
- Keep it as is, and use Zizmor as the mechanism to know when we need to
update. This will block other PRs until the dependency is updated and the PRs
are rebased.
For suppression, I am suggesting a comment like this:
```yaml
# zizmor: ignore[ref-version-mismatch]
- uses:
apache/infrastructure-actions/allowlist-check@4e9c961f587f72b170874b6f5cd4ac15f7f26eb8
# main
```
I don't have a strong opinion, other than that it would be ideal for that
project to move the tag-based releases. (I've opened an issue to start that
discussion: https://github.com/apache/infrastructure-actions/issues/1007.)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]