What happens:
When fullsend admin install scaffolds caller workflows into a repo, all uses: references to fullsend reusable workflows and shared actions are pinned to the floating v0 tag:
uses: fullsend-ai/fullsend/.github/workflows/reusable-triage.yml@v0
uses: fullsend-ai/fullsend/.github/actions/mint-token@v0
This applies to reusable-triage.yml, reusable-code.yml, reusable-review.yml, reusable-fix.yml, reusable-retro.yml, mint-token, setup-gcp, and validate-enrollment.
What should happen:
The scaffolded uses: lines should be pinned to the commit SHA of the fullsend release used to run the install, with the semver version in a comment:
uses: fullsend-ai/fullsend/.github/workflows/reusable-triage.yml@abc1234 # v1.2.3
uses: fullsend-ai/fullsend/.github/actions/mint-token@abc1234 # v1.2.3
When installing from a development build (binary built from main rather than a release tag), the scaffolded references should pin to the HEAD SHA of main at build time, with a comment identifying it as a dev build:
uses: fullsend-ai/fullsend/.github/workflows/reusable-triage.yml@abc1234 # main (dev)
uses: fullsend-ai/fullsend/.github/actions/mint-token@abc1234 # main (dev)
This allows contributors to install from a local main build and have the scaffolded workflows actually exercise the in-progress workflow changes, rather than whatever v0 points to.
Context:
SHA pinning is a supply-chain security best practice. A floating tag like v0 can be moved to a different commit, silently changing what runs in installed repos without any indication in the caller workflow files. Pinning to the SHA of the installed version makes the ref immutable and auditable.
The dev-build case (see also #1166) is equally important for testability: without it, testing workflow changes end-to-end requires either moving the v0 tag manually or accepting that the installed workflows are running stale code.
What happens:
When
fullsend admin installscaffolds caller workflows into a repo, alluses:references to fullsend reusable workflows and shared actions are pinned to the floatingv0tag:This applies to
reusable-triage.yml,reusable-code.yml,reusable-review.yml,reusable-fix.yml,reusable-retro.yml,mint-token,setup-gcp, andvalidate-enrollment.What should happen:
The scaffolded
uses:lines should be pinned to the commit SHA of the fullsend release used to run the install, with the semver version in a comment:When installing from a development build (binary built from
mainrather than a release tag), the scaffolded references should pin to the HEAD SHA ofmainat build time, with a comment identifying it as a dev build:This allows contributors to install from a local
mainbuild and have the scaffolded workflows actually exercise the in-progress workflow changes, rather than whateverv0points to.Context:
SHA pinning is a supply-chain security best practice. A floating tag like
v0can be moved to a different commit, silently changing what runs in installed repos without any indication in the caller workflow files. Pinning to the SHA of the installed version makes the ref immutable and auditable.The dev-build case (see also #1166) is equally important for testability: without it, testing workflow changes end-to-end requires either moving the
v0tag manually or accepting that the installed workflows are running stale code.