Option to pin to major version for all repos

[lordmauve]

Our firm currently prefers using major version tag convention (e.g. @v4) instead of commit hashes.

There is a rationale: we use a non-public GitHub Enterprise Server and therefore are not concerned about being exposed to external attackers, and we decided we would rather sacrifice reproducibility (for this, many things not) in order not to make changes in every repo in order to apply non-breaking changes.

I'd like an option to use tag versions for all repos, or perhaps "trusted orgs", and use only tags matching v\d+ (unless there are no such tags I guess). Perhaps:

[tool.gha-update]
tag-only = ["actions/*", "my-org/*"]
prefer-major-tags = true

or maybe

tool.gha-update.tag-preference = "major"

for future extension.

[davidism]

I very intentionally wrote this to support commit hash pins only, with an opt out for specific cases where that causes a known problem. After considering it for a long time, I just closed another issue asking for wildcards in tag-only, you can see the discussion here: #3

[lordmauve]

Sorry, GitHub fail - I only looked in open issues for this.

I agree with all points raised on both sides in that issue. There have been major security issues recently and people should be deliberate. For our GHES instance the security considerations don't quite apply. There is GitHub Connect feature that lets GHES use actions from github.com, so it's not exclusively the case that GHES is protected - we just disabled that feature. But either way our deliberate choice is to use tags for actions within our orgs and from GitHub with whom we have a contract. If we used GitHub.com I think the same policy would be an equally justifiable choice.

I also agree with "keep existing style". I came looking for a tool because I was contributing to a project that had out-of-date actions/checkout@v2, a tag which no longer works (I think it has been deleted recently?), and I wanted to update them all conveniently. Changing a maintainer's choices without a separate discussion and a separate PR will often mean your PR is not accepted.