ReimarBauer

with pixi we currently can't use menuinst. The issue can't happen since v10.

Welcome @YashaswiniTB I assigned it to you.

I am not sure about what you want to know. On fixing issues it is always to investigate how it could happen. Someone doing this and understanding the source will...

What have we done that we don't pin by hash? Seems also using hash pinning can write the version string as comment https://github.com/dependabot/dependabot-core/issues/4691

This needs a review: https://stacklok.com/blog/automating-security-for-github-actions-in-minder

looks good to me https://github.com/stacklok/frizbee#installation We maybe can prepare an action based on this

link to: https://github.com/prefix-dev/pixi/pull/3369

Because this action receives frequent updates, it often invalidates manually added checksums https://github.com/marketplace/actions/setup-pixi This issue gets only closed after we automated checksum updates

When I use frizbee locally it updates to the commit hash. I tried to add that. https://github.com/stacklok/frizbee-action I don't want to keep manually added PR for having an immutable reference....

> My understanding is that dependabot updates with pinned hashes if the action already uses a pinned hash. So the same thing as frizbee's updates, as soon we have pinned...