Skip to content

ci: pin all tool versions in Taskfiles to specific releases#281

Closed
maniSbindra wants to merge 1 commit into
mainfrom
ci/pin-taskfile-tool-versions-277
Closed

ci: pin all tool versions in Taskfiles to specific releases#281
maniSbindra wants to merge 1 commit into
mainfrom
ci/pin-taskfile-tool-versions-277

Conversation

@maniSbindra

Copy link
Copy Markdown
Contributor

Summary

Pin every tool version in Taskfile *_VERSION maps to a specific release instead of latest. This addresses supply chain security risks where a compromised upstream release would silently flow into CI and developer environments.

Changes

Replace all latest values across 9 Taskfiles (37 tools total):

Taskfile Tools
golang.Taskfile.yml dlv v1.26.3, gopls v0.22.0, deadcode v0.45.0, golangciLint v2.12.2, gotestsum v1.13.0, govulncheck v1.3.0, goimports v0.45.0, gofumpt v0.10.0, goTestCoverage v2.18.8, gocoverCobertura v1.5.0, goreleaser v2.16.0
azure.Taskfile.yml az 2.86.0, azd 1.25.2, bicep v0.43.8
github.Taskfile.yml actionlint v1.7.12, act v0.2.88, pinact v4.0.0, ghalint v1.5.6, gh v2.92.0
javascript.Taskfile.yml prettier 3.8.3
markdown.Taskfile.yml markdownlintCli2 0.22.1, markdownTableFormatter 1.7.0
runtime.Taskfile.yml uv 0.11.16, fnm v1.39.0, pwsh v7.6.2, golang 1.26.3
shell.Taskfile.yml shellcheck v0.11.0, shfmt v3.13.1
terraform.Taskfile.yml terraform v1.15.4, opentofu v1.12.1
yaml.Taskfile.yml yamllint 1.38.0

Why

  • Supply chain security: Prevents silent injection of compromised releases
  • Reproducibility: Ensures consistent builds across CI and local dev
  • Auditability: Version changes are tracked in git history via explicit PRs

What was NOT changed

  • GitHub Actions workflows (already SHA-pinned)
  • Install scripts (receive version from Taskfile maps; latest fallback in help text is documentation only)
  • Dependabot config (already manages github-actions, devcontainers, gomod)

Closes #277

@maniSbindra maniSbindra requested a review from a team as a code owner May 27, 2026 12:59
@maniSbindra maniSbindra requested a review from Copilot May 27, 2026 12:59

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR pins Taskfile-managed tool versions to explicit releases instead of latest, improving reproducibility and reducing supply-chain risk across CI and developer setup tasks.

Changes:

  • Replaces latest in Taskfile version maps with concrete release versions.
  • Applies pinning across Go, Azure, GitHub, JavaScript, Markdown, runtime, shell, Terraform, and YAML tooling.
  • Keeps installer scripts and workflow files unchanged.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
.taskfiles/azure.Taskfile.yml Pins Azure CLI, Azure Developer CLI, and Bicep versions.
.taskfiles/github.Taskfile.yml Pins GitHub-related tooling versions.
.taskfiles/golang.Taskfile.yml Pins Go toolchain helper versions.
.taskfiles/javascript.Taskfile.yml Pins Prettier version.
.taskfiles/markdown.Taskfile.yml Pins Markdown lint/format tooling versions.
.taskfiles/runtime.Taskfile.yml Pins runtime setup tool versions.
.taskfiles/shell.Taskfile.yml Pins shell lint/format tooling versions.
.taskfiles/terraform.Taskfile.yml Pins Terraform and OpenTofu versions.
.taskfiles/yaml.Taskfile.yml Pins yamllint version.

Comment thread .taskfiles/runtime.Taskfile.yml Outdated
golang: latest
uv: 0.11.16
fnm: v1.39.0
pwsh: v7.6.2
Comment thread .taskfiles/terraform.Taskfile.yml Outdated
map:
terraform: latest
opentofu: latest
terraform: v1.15.4
Comment thread .taskfiles/shell.Taskfile.yml Outdated
map:
shellcheck: latest
shfmt: latest
shellcheck: v0.11.0
@maniSbindra maniSbindra force-pushed the ci/pin-taskfile-tool-versions-277 branch from 6056692 to 717c825 Compare May 27, 2026 13:58
@maniSbindra maniSbindra requested a review from Copilot May 27, 2026 13:58

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated 3 comments.

Comment thread .taskfiles/azure.Taskfile.yml Outdated
bicep: latest
az: 2.86.0
azd: 1.25.2
bicep: v0.43.8
Comment thread .taskfiles/scripts/setup_pwsh.sh Outdated
Comment on lines +120 to +122
check_sudo

if [[ "${VERSION}" == "latest" && ( "${arch}" == "aarch64" || "${arch}" == "arm64" ) ]]; then
Comment thread .taskfiles/github.Taskfile.yml Outdated
Comment on lines +11 to +12
pinact: v4.0.0
ghalint: v1.5.6
@maniSbindra maniSbindra force-pushed the ci/pin-taskfile-tool-versions-277 branch from 717c825 to 98128f8 Compare May 27, 2026 14:18
@maniSbindra maniSbindra requested a review from Copilot May 27, 2026 14:18

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.

Comment on lines +164 to +168
log "Installing ${TOOL_NAME} (${version}) from pinned release archive"
mkdir -p "${installDir}" || die "Failed to create install directory ${installDir}"
curl -fsSL "${downloadUrl}" -o "${archivePath}" || die "Failed to download PowerShell ${version}"
tar -xzf "${archivePath}" -C "${installDir}" || die "Failed to extract PowerShell ${version}"
chmod +x "${installDir}/pwsh" || die "Failed to make pwsh executable"
Comment on lines +103 to +107
mkdir -p "${installDir}" "${binDir}" || die "Failed to create install directories"
curl -fsSL "${downloadUrl}" -o "${archivePath}" || die "Failed to download PowerShell ${version}"
tar -xzf "${archivePath}" -C "${installDir}" || die "Failed to extract PowerShell ${version}"
chmod +x "${installDir}/pwsh" || die "Failed to make pwsh executable"
ln -sf "${installDir}/pwsh" "${binDir}/pwsh" || die "Failed to link pwsh"
 Replace every 'latest' value in *_VERSION maps across all 9 Taskfiles
 with the current stable release version (37 tools total).

 This improves supply chain security by preventing silent injection of
 compromised releases, ensures reproducible builds across CI and local
 dev, and makes version changes auditable via git history.

 Closes #277

 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@maniSbindra maniSbindra force-pushed the ci/pin-taskfile-tool-versions-277 branch from 98128f8 to 68660c5 Compare May 27, 2026 15:40
@maniSbindra maniSbindra requested a review from Copilot May 27, 2026 15:42

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated 10 comments.

Comment on lines +9 to +13
actionlint: 1.7.12
act: 0.2.88
pinact: 4.0.0
ghalint: 1.5.6
gh: 2.92.0
Comment on lines +9 to +11
az: 2.86.0
azd: 1.25.2
bicep: 0.43.8
Comment on lines +9 to +10
terraform: 1.15.4
opentofu: 1.12.1
map:
shellcheck: latest
shfmt: latest
shellcheck: 0.11.0
dlv: v1.26.3
gopls: v0.22.0
deadcode: v0.45.0
golangciLint: 2.12.2
gofumpt: v0.10.0
goTestCoverage: v2.18.8
gocoverCobertura: v1.5.0
goreleaser: 2.16.0
fnm: latest
pwsh: latest
golang: latest
uv: 0.11.16
pwsh: latest
golang: latest
uv: 0.11.16
fnm: 1.39.0
uv: 0.11.16
fnm: 1.39.0
pwsh: 7.6.2
golang: 1.26.3
map:
terraform: latest
opentofu: latest
terraform: 1.15.4
maniSbindra added a commit that referenced this pull request May 29, 2026
Refs #277. Replaces `latest` with concrete semver in 9 Taskfile
*_VERSION maps (27 of 30 tools pinned; pwsh, actionlint, and
markdownlint-cli2 deliberately left at latest — see deferred list).
Pinned values match those proposed in closed PR #281.

Coverage after this commit
  - 27 of 30 CI-reachable install paths are pinned. Every `task …`
    install target invoked by .github/workflows/ resolves to a
    fixed version except for actionlint and markdownlint-cli2
    (see deferred list).
  - Linux and Windows developer machines: pinned for 27 tools.
  - macOS developers using the repo's devcontainer: pinned for
    27 tools (devcontainer is Linux-based).
  - macOS developers running tasks natively on the host: still
    use `_install:brew`, which today maps to formula names like
    `bicep@0.43.8` that Homebrew does not publish. Native-macOS
    setup is therefore expected to fail until phase 2 of #277
    replaces the brew path; the devcontainer is the supported
    macOS workflow in the meantime.

Explicitly out of scope (deferred to follow-ups). None introduces
a new silent supply-chain regression in CI; they are either
dev-machine-only, loud failures rather than silent `latest`
fallback, or pre-existing behavior unchanged by this commit:
  - actionlint kept at `latest` because the install_actionlint.sh
    wrapper prepends a `v` prefix to numeric versions, but upstream
    download-actionlint.bash requires bare `X.Y.Z` form — the
    wrapper bug needs fixing before this tool can be pinned (FU-2)
  - markdownlint-cli2 kept at `latest` because the
    `internal:command:version` precondition (`grep -F` against
    `markdownlint-cli2 --help` output) fails at the pinned value
    and needs the version-check normalization landed first (FU-1)
  - pwsh kept at `latest` because setup_pwsh.sh `die`s on any
    non-`latest` value; pinning pwsh requires the script rewrite
    tracked alongside SHA verification (FU-3)
  - _internal.Taskfile.yml v-prefix normalization (FU-1)
    (correctness — version-assert preconditions may falsely fail)
  - installer-script v-prefix stripping (FU-2)
    (correctness — scripts fail loudly on mismatch, no silent latest)
  - setup_pwsh.sh direct-download with SHA verification (FU-3)
    (dev-machine only; CI uses runner-preinstalled pwsh)
  - _install:winget `ignore_error: true` (pre-existing soft-fail
    policy unchanged by this commit; means a rejected
    `winget --version X` on the windows-2025 e2e runner could
    fall through to a pre-installed tool. Should be tightened in
    its own focused follow-up)
  - Native-macOS supply-chain hardening / phase 2 of #277
    (dev-machine only; no macOS in CI)
  - Terraform apt Debian-revision suffix (terraform=1.15.4-1)
    (would fail loudly in e2e CI, not silently regress)
  - Renovate automation (external bot, not part of CI pipelines)
  - Top-of-map docblock convention (documentation only)
  - Devcontainer feature pinning (CI does not use devcontainer)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
maniSbindra added a commit that referenced this pull request May 29, 2026
Refs #277. Replaces `latest` with concrete semver in 9 Taskfile
*_VERSION maps (27 of 30 tools pinned; pwsh, actionlint, and
markdownlint-cli2 deliberately left at latest — see deferred list).
Pinned values match those proposed in closed PR #281.

Also tightens `.taskfiles/scripts/install_terraform.sh` to handle
HashiCorp's apt packaging: the repo sometimes publishes the bare
upstream version (`terraform=1.15.4`) and sometimes a Debian
revision (`terraform=1.15.4-1`). The script now tries the bare
form first and falls back to the `-1` form so a single pinned
semver in the Taskfile resolves either way. This is the only
script change in this PR; it is included because Terraform is a
high-value supply-chain target and leaving it unpinned would
substantially weaken the change.

Coverage after this commit
  - 27 of 30 CI-reachable install paths are pinned. Every
    `task …` install target invoked by .github/workflows/
    resolves to a fixed version except for actionlint and
    markdownlint-cli2 (see deferred list).
  - Linux and Windows developer machines: pinned for 27 tools.
  - macOS developers using the repo's devcontainer: pinned for
    27 tools (devcontainer is Linux-based).
  - macOS developers running tasks natively on the host: still
    use `_install:brew`, which today maps to formula names like
    `bicep@0.43.8` that Homebrew does not publish. Native-macOS
    setup is therefore expected to fail until phase 2 of #277
    replaces the brew path; the devcontainer is the supported
    macOS workflow in the meantime.

Explicitly out of scope (deferred to follow-ups). None introduces
a new silent supply-chain regression in CI:
  - actionlint kept at `latest` because install_actionlint.sh
    prepends a `v` prefix that upstream download-actionlint.bash
    rejects — wrapper bug must be fixed first (FU-2)
  - markdownlint-cli2 kept at `latest` because the
    internal:command:version precondition (`grep -F` against
    `markdownlint-cli2 --help`) fails at the pinned value and
    needs version-check normalization first (FU-1)
  - pwsh kept at `latest` because setup_pwsh.sh `die`s on any
    non-`latest` value; pinning pwsh requires the script rewrite
    tracked alongside SHA verification (FU-3)
  - _internal.Taskfile.yml v-prefix normalization (FU-1)
  - installer-script v-prefix stripping (FU-2)
  - setup_pwsh.sh direct-download with SHA verification (FU-3)
  - _install:winget `ignore_error: true` pre-existing soft-fail
  - Native-macOS supply-chain hardening / phase 2 of #277
  - Renovate automation (FU-7)
  - Top-of-map docblock convention (FU-8)
  - Devcontainer feature pinning (FU-9)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ci: pin all tool versions in Taskfiles to specific releases instead of latest

2 participants