← Back to context

Comment by bramblerose

7 days ago

- Using the commit SHA of a released action version is the safest for stability and security.

This is not true for stability in practice: the action often depends on a specific Node version (which may not be supported by the runner at some point) and/or a versioned API that becomes unsupported. I've had better luck with @main.

2 comments

bramblerose

Reply
bloppe  7 days ago

Depends what you mean by stability. The post is complaining about the lack of lockfiles, and the problem you describe would also be an issue with lockfiles.

  • Dylan16807  6 days ago

    The underlying problem is that you can't keep using the same version, and one way it fails ruins the workaround for a different failure.