This is something we're explicitly not trying to do given the nature of the security release. We recommend in SPEC 8 that people use Dependabot for GitHub actions to keep things updated. c.f. the README too.

Updates to the action itself are infrequent by design.

I'm in transit and on my phone so the response is very short, but if there are additional questions we can definitely discuss more. 👍

Yes that's the point of using hashes and pointing to specific versions. It's not convenient yes, but the other option is not secure.

Fair. PyPI release action uses moving tags, but I guess that is technically more secure due to the OAuth tokens/trusted-publishers used.

Regarding dependabot, it would be good to also point to a renovatebot configuration. dependabot is a very noisy solution which does miss updates due to the 5 PR limit.

Monthly dependabot is still noisy, but usually is an acceptable compromise.

dependabot is a very noisy solution which does miss updates due to the 5 PR limit.

I do not think it is asking too much to merge a PR once every 5 months.

It is fair to ask for other tools though! I don't have experience with renovate but if you can point to examples we can look at if that's something that integrates into the security model. (Seems like probably yes from the very little I do know about it.)

dependabot is a very noisy solution which does miss updates due to the 5 PR limit.

I do not think it is asking too much to merge a PR once every 5 months.

It's a different issue. Dependabot, by default, can only have 5 open PRs, after which any updates will be missed. Other brilliant design choices they've made is that whenever there is an update, instead of rebasing an old PR, they simply close and open a new PR, resulting in inactive projects with thousands of PRs.

It is fair to ask for other tools though! I don't have experience with renovate but if you can point to examples we can look at if that's something that integrates into the security model.

Unfortunately the documentation for renovatebot is quite opaque. Afaiu, the default should pick up on all providers including GH actions

{
  "extends": ["config:recommended"]
}

I believe that for the model here, you want to include "helpers:pinGitHubActionDigests", but it should probably be limited to a specific package match for this action.

If you have a setup, you can then make it shareable via

{
  "extends": ["github>scientific-python/upload-nightly-action"]
}

You can group the dependabot updates into one pr, doing that and opting for monthly you practically will never reach the 5 limit.

You can group the dependabot updates into one pr, doing that and opting for monthly you practically will never reach the 5 limit.

Yeah, I've played around with that when they first released it. It still didn't rebase PRs, so it was still incredibly noisy.