Bump JamesIves/github-pages-deploy-action from 4.7.4 to 4.7.6#401
Bump JamesIves/github-pages-deploy-action from 4.7.4 to 4.7.6#401dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [JamesIves/github-pages-deploy-action](https://github.com/jamesives/github-pages-deploy-action) from 4.7.4 to 4.7.6. - [Release notes](https://github.com/jamesives/github-pages-deploy-action/releases) - [Commits](JamesIves/github-pages-deploy-action@v4.7.4...v4.7.6) --- updated-dependencies: - dependency-name: JamesIves/github-pages-deploy-action dependency-version: 4.7.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
|
|
||
| - name: Deploy to GitHub pages 🚀 | ||
| uses: JamesIves/github-pages-deploy-action@v4.7.4 | ||
| uses: JamesIves/github-pages-deploy-action@v4.7.6 |
There was a problem hiding this comment.
@VisruthSK Is it safe to merge these updates to the deploy-action in general? Also is there a reason why you have this action set to a specific minor version, whereas e.g. for loo it's just @v4 instead of @4.7.4? Just curious if that's intentional.
There was a problem hiding this comment.
Not intentional and doesn't provide much (any?) security against release-jacking so I see no reason to. I may have to think about that more, but maybe it does actually sorta protect against release-jacking if the compromised release is a minor or patch version the next build would silently move to it, whereas here we'd get a PR and have to approve manually. Maybe we should do this everywhere? Adds some friction/regular maintanance though.
I probably copied it from the wrong place.
We could run the pkgdown action off this branch to see if the site builds and gets deployed before merging? Since its just a patch I doubt anything would break but can't hurt.
There was a problem hiding this comment.
Actually yeah maybe it's good to do it this way not just for bayesplot but for all of them for the reason you mentioned.
There was a problem hiding this comment.
Nevermind, I forgot that release aren't immutable so nothing matters--in a scenario where the attacker has repo access, they could just change the files in the latest release instead of making a new one. So maybe just move to major version tags to make it smoother and skip these PRs?
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
Bumps JamesIves/github-pages-deploy-action from 4.7.4 to 4.7.6.
Release notes
Sourced from JamesIves/github-pages-deploy-action's releases.
Commits
9d877eeDeploy Production Code for Commit 5ad124cd797fc1553b9810f7cb262a32d1432d1d 🚀5ad124cMerge branch 'dev' into releases/v483e989ffix: additional fixes for stripping git configs286f4babuild(deps): bump typescript-eslint in the typescript group (#1930)4ef313cDeploy Production Code for Commit f58e95ea79869a93f918a2f71af6035e58be1fae 🚀f58e95eMerge branch 'dev' into releases/v4f33629cbuild(deps): bump actions/setup-node from 6.0.0 to 6.1.0 (#1927)771d2b1build(deps): bump typescript-eslint in the typescript group (#1925)1d137fdfix: cross-repo deployment with actions/checkout@v6 includeIf credentials (#1...f43d9b3build(deps): bump actions/checkout from 6.0.0 to 6.0.1 (#1926)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)