Pin Docker Image Version

[mrdrogdrog]

Hello,

today we encountered a weird problem in our CI because for no reason the reuse action failed to work.
Even commits that have been okay before were suddenly failing on rerun.
https://github.com/hedgedoc/hedgedoc/actions/runs/5333016704/attempts/1
https://github.com/hedgedoc/hedgedoc/actions/runs/5333016704/attempts/2

After some investigation I found the problem: A bug in the reuse tool that only occurs in version 2.0. What has been even weirder was the confusion about why this bug affected us, because we're pinning the version of all of our used github actions.

Then I found out that the Dockerfile in this repository is using the latest tag of fsfe/reuse.

Please don't do that. Please use a specific version in the Dockerfile to provide consistent behaviour of this action. Yes, that would mean that if there is an update for the reuse tool you would also need to publish a new version of this action. However I think the advantage of stability outweigh the disadvantages.

Thanks for reading ❤️

[XVilka]

Looks like it happened again, suddenly there are many new errors like that:

reuse.report - ERROR - Unexpected error occurred while parsing 'librz/core/cmd_descs/cmd_type.yaml'
ValueError: Duplicate field "Copyright" in paragraph number 46

[mxmehl]

Please find the reason for these newer issues with 2.1.0 here: fsfe/reuse-tool#803. tl;dr: you probably use DEP5 in a non-standard way, using multiple Copyright: statements per entry.

Regarding your request, I would prefer not to bump the version of the action for every REUSE release, but for every major one. That makes most sense and I will take care of it soon.

[mxmehl]

Fixed with the latest releases. You can now use @v2 to explicitely use the 2.x version branch of the tool (which I would recommend as it will detect some more licensing scanning bugs in DEP5 as we've just seen).