Pin composer-install to 4.0.0 and checkout to 6.0.3#887
Merged
Conversation
Pin ramsey/composer-install to the 4.0.0 release SHA rather than the floating v4 branch tip. The previous pin tracked the v4 branch, so the version comment could only ever read "# v4" and a SHA bump carried no visible meaning in a diff. Pinning to the 4.0.0 tag gives an honest SHA-to-version mapping and lets Dependabot follow releases, matching the style already used for setup-php and xmllint-validate. Also pin actions/checkout to the 6.0.3 release SHA. It was previously left on the floating @v6 major tag; pinning it brings the first-party action in line with the SHA-and-version convention and makes future Dependabot bumps self-explanatory.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Dependabot raised #886 to bump
ramsey/composer-installfrom one commit SHA to another, but both the old and new pins carried the same# v4comment. That is because the previous pin tracked the tip of ramsey/composer-install's floatingv4branch (which is also its default branch), so a SHA bump could never show a meaningful version change in a diff. The new SHA Dependabot proposed was ten commits ahead of the only 4.x release tag, and every one of those commits was the action's own internal Dependabot churn.This pins
ramsey/composer-installto the 4.0.0 release SHA instead, with a matching# 4.0.0comment. That gives an honest mapping between the SHA and the version, brings the line in step with howsetup-phpandxmllint-validateare already pinned, and lets Dependabot follow genuine releases going forward so future bumps are self-explanatory. This is also the approach ramsey now recommends in their own README.While here,
actions/checkoutis pinned to the 6.0.3 release SHA. It was previously left on the floating@v6major tag — first-party actions were deliberately excluded when the third-party actions were SHA-pinned. Bringing it onto the same SHA-and-version convention keeps the workflows consistent and makes future Dependabot bumps equally clear.#886 has been closed in favour of this PR.