Pinning by hash createst UI friction. With a tool like yarn a developer can use the CLI to look up the hash and upgrade the yaml in a terse command - yarn upgrade foopackage@1.2.3. With pin-github-action the developer has to find the repo, look up the tag of the version they want, copy the hash, and paste the hash into their yaml.
pin-github-action should either:
- Be able to upgrade a single dependency using a command similar to yarn
- Be able to look up the hash in the CLI, so they can upgrade the yaml by hand
Pinning by hash createst UI friction. With a tool like yarn a developer can use the CLI to look up the hash and upgrade the yaml in a terse command -
yarn upgrade foopackage@1.2.3. With pin-github-action the developer has to find the repo, look up the tag of the version they want, copy the hash, and paste the hash into their yaml.pin-github-action should either: