Add check_retries to action.yml

[timyates]

I completely missed this when we were doing #493

🙄

Sorry about that, I only just saw the warning in our pipeline

[mikepenz]

Overlooked it too. 🙃

[timyates]

Any chance of a v3.0.2? </nag> 😉

[mikepenz]

Oh yes absolutely, sorry for not having done so already.

Just a general note. Personally (and from a security perspective) it's advised that you pin actions you use to specific git commit hashes as it will prevent anybody to change a given version in the future.

Via the same approach you can actually refer to any git commit you want to use.

So for example you can use this commit via:

mikepenz/action-junit-report@e9e477c81cb13b03f1eaf153c4bbc22ce8ce7b22

[mikepenz]

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Pin actions to a full length commit SHA

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

[timyates]

Cool, thanks 👍

Interesting! I guess there's no way to get dependabot to use hashes instead of versions 🤔

[mikepenz]

I actually don't know. but that's an interesting point. Wonder if it can be achieved with dependabot

[timyates]

I'll have a dig around in google. Thanks again for all the work on this Mike btw 😎👍

[mikepenz]

Glad the action is helpful to people.