Skip to content

GH Pin SHA for security and Stability.#487

Merged
Tatsinnit merged 1 commit intoAzure:mainfrom
Tatsinnit:update/pin-sha-workflows
Feb 4, 2025
Merged

GH Pin SHA for security and Stability.#487
Tatsinnit merged 1 commit intoAzure:mainfrom
Tatsinnit:update/pin-sha-workflows

Conversation

@Tatsinnit
Copy link
Member

@Tatsinnit Tatsinnit commented Feb 4, 2025
edited
Loading

Pinning dependencies is a best practice in software development because it ensures reliability, security, and consistency across builds and deployments. For general audience, here’s why it’s beneficial:

1. Ensures Build Stability

  • If you use floating versions (e.g., @latest, @v5), a new release could break your workflow unexpectedly.
  • Pinning to a specific version or SHA ensures that the same version is used every time.

Example:

# Unpinned (Risky)
- uses: actions/setup-go@v5  # May change with updates

# Pinned (Stable)
- uses: actions/setup-go@c7c5d76577b5e477c72e5e48b2f29a85266e1a29  # Uses exact commit SHA

2. Improves Security

  • Floating versions can introduce supply chain attacks if a dependency is compromised.
  • Pinning a SHA ensures that you are only using a verified version of an action or library.

Lets always Pin Dependencies for Reliability & Security.

Pinning dependencies prevents unexpected failures, security risks, and inconsistent behavior across environments

Starting for this repo for now next up I will add the dependabot for this repo for these things for future update and share across for evangelism. Thanks heaps ❤️ fyi @davidgamero

@Tatsinnit Tatsinnit added the github_actions Pull requests that update GitHub Actions code label Feb 4, 2025
@Tatsinnit Tatsinnit requested review from a team, bfoley13, Copilot and davidgamero February 4, 2025 04:55
@Tatsinnit Tatsinnit self-assigned this Feb 4, 2025
Copilot AI reviewed Feb 4, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 5 out of 8 changed files in this pull request and generated no comments.

Files not reviewed (3)
  • .github/workflows/e2e-info.yml: Evaluated as low risk
  • .github/workflows/integration-install.yml: Evaluated as low risk
  • .github/workflows/integration-json.yml: Evaluated as low risk

@Tatsinnit Tatsinnit mentioned this pull request Feb 4, 2025
Merged
Vidya2606
Vidya2606 approved these changes Feb 4, 2025
View reviewed changes
Copy link
Contributor

@Vidya2606 Vidya2606 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@Tatsinnit Tatsinnit enabled auto-merge (squash) February 4, 2025 06:17
davidgamero
davidgamero approved these changes Feb 4, 2025
View reviewed changes
Copy link
Collaborator

@davidgamero davidgamero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@Tatsinnit Tatsinnit merged commit 9b60047 into Azure:main Feb 4, 2025
145 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@davidgamero davidgamero davidgamero approved these changes

@bfoley13 bfoley13 Awaiting requested review from bfoley13

+1 more reviewer

@Vidya2606 Vidya2606 Vidya2606 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@Tatsinnit Tatsinnit

Labels

github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Tatsinnit @davidgamero @Vidya2606