Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v2 release marked as latest #1009

Closed
ennru opened this issue Nov 14, 2022 · 6 comments
Closed

v2 release marked as latest #1009

ennru opened this issue Nov 14, 2022 · 6 comments

Comments

@ennru
Copy link

ennru commented Nov 14, 2022

Just wondering as it first tricked me, why is v2.5.0 marked as the latest release when there is v3.1.0?

https://github.com/actions/checkout/releases
@neilmayhew
Copy link

neilmayhew commented Nov 15, 2022
edited
Loading

I found this confusing too. I changed my workflow to comply with the GitHub advisory from September 22 and was still getting warnings about the use of Node.js 12. I eventually discovered that the "latest" version of this action (v2.5.0) is still using 12 and there's no information about whether the v3 series is recommended for production use. This makes it look like GitHub isn't following its own advice!

I assume that the v2.5.0 tag was made more recently than the v3.1.0 tag and this causes it to be shown as "latest".

@jku
Copy link

jku commented Nov 22, 2022
edited
Loading

I suppose this was clear already but just saying it out loud: Dependabot does not upgrade users who are pinning hashes from v2.5.0 to v3.x.y. I'm not sure if it should (since that's not documented anywhere) but it seems related.

The same issue has been filed before as well: see #831 for an example from June.

@jku
Copy link

jku commented Dec 6, 2022

I suppose this was clear already but just saying it out loud: Dependabot does not upgrade users who are pinning hashes from v2.5.0 to v3.x.y. I'm not sure if it should (since that's not documented anywhere) but it seems related.

Sometime last week dependabot started upgrading actions/checkout to 3.x.y in my projects 🤷 so this was maybe an unrelated dependabot bug fixed in the latest dependabot release?

I'm surprised about the lack of maintainer comments or actions on issues like this. Maybe there is no actions/checkout issue here, but not seeing any communication for 22 days -- even closing the issue as not-a-bug -- is a little worrying.

@neilmayhew
Copy link

not seeing any communication for 22 days … is a little worrying.

I agree, especially since this is a very core action — I assume every workflow on GitHub is using it — and since this relates to a security advisory.

I see that there are 291 open issues. That's not a good sign either.

@joonas-fi joonas-fi mentioned this issue Dec 29, 2022
Open
@dgokcin
Copy link

dgokcin commented Jan 2, 2023

I am having the same issue as @jku. Any updates here?

@cory-miller
Copy link
Contributor

Closing since this is outdated. v4.1.0 is now marked as latest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jku @neilmayhew @ennru @cory-miller @dgokcin