ppkarwasz commented on PR #367:
URL: https://github.com/apache/logging-parent/pull/367#issuecomment-2784663961
There are several advantages of locking the versions of the Antora
dependencies:
1. The first one is certainly security: transitive NPM dependencies will be
upgraded only by Dependabot, when we release a new version.
2. We can also save time on caching, since we can reuse an NPM workflow.
This is also suggested in the `deploy-site-reusable` workflow:
https://github.com/apache/logging-parent/blob/9206282b1aa4b58a100662a80f7f5c3526f35137/.github/workflows/deploy-site-reusable.yaml#L81-L95
**Note**: I think that there is currently a bug in the workflow since
`${{ hashFiles('node', 'node_modules') }}` is used **before** those folders are
created in the `mvn site` step.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
