Downstream repos reference images-shared's reusable workflows and composite actions using @main:
# Reusable workflow (job-level)
uses: posit-dev/images-shared/.github/workflows/bakery-build-pr.yml@main
# Composite action (step-level)
uses: posit-dev/images-shared/setup-bakery@main
@main is mutable — downstream repos always track HEAD, including breaking changes, and have no way to pin to a stable ref without tracking a full SHA. GitHub's "Require actions to be pinned to a full-length commit SHA" setting blocks step-level @main references, so downstream repos cannot enable that setting while referencing images-shared composite actions this way.
What's needed:
- A tag strategy (
@v1, @latest, or similar)
- A workflow or manual process to advance the tag on releases
- Updated downstream documentation on which ref to use
This would also make it straightforward for downstream repos to enable SHA pinning on step-level composite action refs by pinning the tag's SHA once and letting Dependabot maintain it.
Downstream repos reference
images-shared's reusable workflows and composite actions using@main:@mainis mutable — downstream repos always track HEAD, including breaking changes, and have no way to pin to a stable ref without tracking a full SHA. GitHub's "Require actions to be pinned to a full-length commit SHA" setting blocks step-level@mainreferences, so downstream repos cannot enable that setting while referencingimages-sharedcomposite actions this way.What's needed:
@v1,@latest, or similar)This would also make it straightforward for downstream repos to enable SHA pinning on step-level composite action refs by pinning the tag's SHA once and letting Dependabot maintain it.