I think I'd prefer weekly; monthly seems a little too spread out.

Overall I think the worst thing about pinning is how it's a pain to update locally if you need some feature "now"; I'm not aware of any tool one can run that updates things to this format (which dependabot and renovate both use). I pin actions on my repos and use renovate, but I'm also happy to have loads of PR noise that I don't wish to bestow on the team 😄

As for TypeScript-Twoslash-Repro-Action, can it not pin at <hash> # master? Then again, that's code we own, and it'd be a pain to not get updates there in short order when we change it.

I think I'd prefer weekly; monthly seems a little too spread out.

Done!

As for TypeScript-Twoslash-Repro-Action, can it not pin at <hash> # master? Then again, that's code we own, and it'd be a pain to not get updates there in short order when we change it.

Yes, absolutely. Done!

I was just concerned it'd create too much noise. But given that we're using grouped PRs for all Actions, it actually isn't a problem, especially since the Action's repo isn't very active.

But yeah, if there's any new features you think will be useful for TypeScript, you'll either need to wait a week for the dependabot PR or manually update the hash, which can be a bit of a hassle.

If you prefer, I can revert that change and leave it @master.

Let's stick with pinned for now, and if it's a problem it's easy to go back. I agree that the other repo isn't extremely trafficked at the moment though there's some recent stuff I wanted to change there.

Hey @jakebailey ,

Overall I think the worst thing about pinning is how it's a pain to update locally if you need some feature "now"; I'm not aware of any tool one can run that updates things to this format (which dependabot and renovate both use).

I'm not 100% sure I understood your complain, but renovate bot have a feature that "triggers" it to run again and check for new updates "now". Is that what you're looking for? See an example of this trigger at this issue of one testing repo of mine. The trigger is at the bottom.

I use renovate on my personal projects (but IIRC we don't have the ability to do so in this org), but what I'm looking for specifically is a tool that I can run locally that does what renovate or dependabot do. Both are far too intertwined into GitHub or a PR flow for them to work (I've tried!). The closest tool I've found is https://github.com/mheap/pin-github-action, but it uses its own bespoke version format string.