rmuir commented on PR #14492: URL: https://github.com/apache/lucene/pull/14492#issuecomment-2803947960
@dweiss I agree this is overkill for the "official" actions/ stuff. It is solid as I mentioned on the issue. Instead this is just about giving ourselves certain guarantees, regardless of the actions in use: * builds not changing out from underneath us... e.g. hard-to-debug problems * security guarantees due to using something immutable (git hash) vs mutable (git tag) I think it is a simple one-time pain, you set it once, then dependabot sends you PRs. @dweiss to your specific question: I think it is unnecessary. My experience doing this, is that you basically "relinquish manual editing of versions" to automation, so it doesn't matter if you have `foobar@1.2.3` in 87 files. You get one pull request and it updates all 87. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
