Uncategorized
GitHub Actions & Security: Best practices Rob Bos 06 Feb, 2021
Rob wanted to double check how GitHub Actions use SemVer for their versioning system, and he found more idiosyncrasies again: How GitHub Actions versioning works
TL;DR:
The runner just downloads what you specified, by getting it from the tag
The runner does not do SemVer at all. It’s up to the maintainer
Even GitHub does not update (or create) all SemVer versions, so @v3 is not necessarily the latest thing for v3!
The marketplace shows releases, not tags. If the maintainer does not actually release, it’s not visible