Immutable Releases

[CalvinRodo]

Enabling this will make it easier to use this action in a secure way, with mutable tags I need to either fork this action or pin to a Git SHA to ensure that I am using a known version of this action, with an immutable release I can pin to the tag and be confident the code won't be maliciously modified due to a compromise of this repo.

https://docs.github.com/en/actions/how-tos/create-and-publish-actions/using-immutable-releases-and-tags-to-manage-your-actions-releases

It also makes it easier to understand what version we are using in workflows as we can view the version number instead of a sha

[zimeg]

Hey @CalvinRodo! 👋 Thanks for sharing this update with us - it looks quite promising 🐙

At the moment our release process creates then moves the release tag on "publish" to a packaged commit to avoid clutter on the main branch. More details might exist in #444.

I agree we should revisit this for immutable tagging! Perhaps the release branch is created and tagged before publishing a release?

Let's keep this issue open towards an updated publish workflow. In the meantime I might suggest using hashes with a version comment:

- uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1

The kind @dependabot does well with updating that comment, but I agree that this might not be a great workaround 🤖