Always pin external dependencies to specific versions in CI/CD workflows to ensure build reproducibility, stability, and security. This applies to: 1. GitHub Actions (use tagged versions instead of branch names or commit SHAs)
Always pin external dependencies to specific versions in CI/CD workflows to ensure build reproducibility, stability, and security. This applies to:
For GitHub Actions:
# ❌ Avoid:
- uses: pierotofy/set-swap-space@master
- uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
# ✅ Prefer:
- uses: pierotofy/set-swap-space@v1.2.0
- uses: docker/login-action@v2
For external tools:
# ❌ Avoid:
curl -sSLo shfmt https://github.com/mvdan/sh/releases/latest/download/shfmt_linux_amd64
# ✅ Prefer:
curl -sSLo shfmt https://github.com/mvdan/sh/releases/download/v3.7.0/shfmt_linux_amd64
For runtime environments:
# ❌ Avoid:
node-version: [20]
# ✅ Prefer:
node-version: ["20.18.3"]
Using pinned versions ensures consistent builds across different environments and times, prevents unexpected breaking changes, and makes security audits more reliable.
Enter the URL of a public GitHub repository