RUST-135 Revert "Pin dependencies (#221)"#223
Conversation
This reverts commit 889cb35.
hashicorp-vault-sonar-prod
Bot
changed the title
SummaryThis PR reverts dependency pinning in GitHub Actions workflows, moving from exact version pins to floating major version tags. Changes affect 15+ workflow files and involve internal SonarSource dependencies:
This enables automatic updates to minor and patch versions rather than requiring explicit upgrades in future commits. What reviewers should knowScope: All changes are confined to Key trade-off: Reverting from pinned versions means workflows will automatically pick up new minor/patch releases from these internal SonarSource dependencies, but at the cost of less reproducible builds. The previous commit (#221) pinned for reproducibility; this revert prioritizes staying current with fixes and improvements. What to check:
Context: These are internal SonarSource dependencies with no external security implications, making version floats lower risk than external dependencies.
|
![sonar-review-alpha[bot]](https://avatars.githubusercontent.com/in/3025063?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM! ✅
Clean, consistent change across all workflow files. Notably, external/third-party actions (actions/checkout, jdx/mise-action) remain SHA-pinned throughout — only internal SonarSource actions are unpinned, which is the right split from a supply-chain security perspective.
|
2 participants
This reverts commit 889cb35.
As these are internal dependencies, they don't bring security risks and not pinning as the advantage of automatically using new versions.