Context
All step-level uses: references in the PSModule workflow infrastructure follow a pinned-SHA pattern with the
version tag in a trailing comment, for example:
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
This pattern is a GitHub-recommended security best practice
that prevents tag-mutation attacks while preserving version readability. Tools like
Dependabot
and Renovate can automatically update the SHA and comment when new versions are
released.
Request
The reusable workflow reference in Process-PSModule.yml currently uses a major version tag:
uses: PSModule/Process-PSModule/.github/workflows/workflow.yml@v5
This is inconsistent with the SHA-pinned pattern used everywhere else in the infrastructure. A mutable tag like
@v5 can be force-pushed to point at any commit, meaning the consumed workflow could silently change between runs
without any visible change in the consumer repository.
What is expected
The reference should be pinned to the commit SHA of the current release, with the patch-level version tag in a
comment:
uses: PSModule/Process-PSModule/.github/workflows/workflow.yml@4343d76f9e8c9468527175ea292092c2d055be8c # v5.4.5
This applies to all repositories that consume Process-PSModule, not just the GitHub module.
Acceptance criteria
- The
uses: reference for Process-PSModule is pinned to a full commit SHA
- The patch-level version tag appears in a trailing comment (e.g.,
# v5.4.5)
- Dependabot or Renovate configuration covers this reference for automated updates
- The pattern is consistent with all other
uses: references in the infrastructure
Technical decisions
Scope: This issue covers the PSModule/GitHub repository specifically. Other consumer repositories should be
updated in their own PRs or via the Distributor sync mechanism.
SHA to pin: 4343d76f9e8c9468527175ea292092c2d055be8c (current v5.4.5). This will be updated once PR
#308 is merged and released, so the implementer should
use the latest tag at the time of implementation.
Dependabot compatibility: Dependabot
supports SHA-pinned reusable workflow references
and can update them automatically. The existing dependabot.yml in the repository should already cover this if
the github-actions ecosystem is configured.
Implementation plan
Context
All step-level
uses:references in the PSModule workflow infrastructure follow a pinned-SHA pattern with theversion tag in a trailing comment, for example:
This pattern is a GitHub-recommended security best practice
that prevents tag-mutation attacks while preserving version readability. Tools like
Dependabot
and Renovate can automatically update the SHA and comment when new versions are
released.
Request
The reusable workflow reference in
Process-PSModule.ymlcurrently uses a major version tag:This is inconsistent with the SHA-pinned pattern used everywhere else in the infrastructure. A mutable tag like
@v5can be force-pushed to point at any commit, meaning the consumed workflow could silently change between runswithout any visible change in the consumer repository.
What is expected
The reference should be pinned to the commit SHA of the current release, with the patch-level version tag in a
comment:
This applies to all repositories that consume Process-PSModule, not just the GitHub module.
Acceptance criteria
uses:reference forProcess-PSModuleis pinned to a full commit SHA# v5.4.5)uses:references in the infrastructureTechnical decisions
Scope: This issue covers the
PSModule/GitHubrepository specifically. Other consumer repositories should beupdated in their own PRs or via the Distributor sync mechanism.
SHA to pin:
4343d76f9e8c9468527175ea292092c2d055be8c(currentv5.4.5). This will be updated once PR#308 is merged and released, so the implementer should
use the latest tag at the time of implementation.
Dependabot compatibility: Dependabot
supports SHA-pinned reusable workflow references
and can update them automatically. The existing
dependabot.ymlin the repository should already cover this ifthe
github-actionsecosystem is configured.Implementation plan
uses:in.github/workflows/Process-PSModule.ymlto SHA-pinned format with patch tag comment