Skip to content

admin install should pin reusable workflows and actions to a commit SHA instead of v0 #1075

Description

@rh-hemartin

What happens:

When fullsend admin install scaffolds caller workflows into a repo, all uses: references to fullsend reusable workflows and shared actions are pinned to the floating v0 tag:

uses: fullsend-ai/fullsend/.github/workflows/reusable-triage.yml@v0
uses: fullsend-ai/fullsend/.github/actions/mint-token@v0

This applies to reusable-triage.yml, reusable-code.yml, reusable-review.yml, reusable-fix.yml, reusable-retro.yml, mint-token, setup-gcp, and validate-enrollment.

What should happen:

The scaffolded uses: lines should be pinned to the commit SHA of the fullsend release used to run the install, with the semver version in a comment:

uses: fullsend-ai/fullsend/.github/workflows/reusable-triage.yml@abc1234  # v1.2.3
uses: fullsend-ai/fullsend/.github/actions/mint-token@abc1234  # v1.2.3

When installing from a development build (binary built from main rather than a release tag), the scaffolded references should pin to the HEAD SHA of main at build time, with a comment identifying it as a dev build:

uses: fullsend-ai/fullsend/.github/workflows/reusable-triage.yml@abc1234  # main (dev)
uses: fullsend-ai/fullsend/.github/actions/mint-token@abc1234  # main (dev)

This allows contributors to install from a local main build and have the scaffolded workflows actually exercise the in-progress workflow changes, rather than whatever v0 points to.

Context:

SHA pinning is a supply-chain security best practice. A floating tag like v0 can be moved to a different commit, silently changing what runs in installed repos without any indication in the caller workflow files. Pinning to the SHA of the installed version makes the ref immutable and auditable.

The dev-build case (see also #1166) is equally important for testability: without it, testing workflow changes end-to-end requires either moving the v0 tag manually or accepting that the installed workflows are running stale code.

Metadata

Metadata

Assignees

Labels

component/installCLI install and app setupsecuritySecurity threat model and related concernstriagedTriaged but awaiting human prioritization

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions