Skip to content

Commit ae40cb6

Browse files
committed
feat(ci-cd): add GitHub actions pinning process
Signed-off-by: Emilien Escalle <emilien.escalle@escemi.com>
1 parent fb699e7 commit ae40cb6

20 files changed

Lines changed: 272 additions & 70 deletions

File tree

application/docs/methodology/best-practices/ci-cd/cicd-release-management.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -231,6 +231,12 @@ feat!: remove deprecated API → MAJOR bump
231231

232232
**Automated Versioning:**
233233

234+
:::tip Pin real workflow refs with Ratchet
235+
This example uses a readable tag for clarity. In a real repository, run [Pin
236+
workflow refs with Ratchet](./github-actions/pinning-with-ratchet.md) on your
237+
workflow files and commit the rewritten SHA pins.
238+
:::
239+
234240
```yaml
235241
# .github/workflows/release.yml
236242
- name: Semantic Release

application/docs/methodology/best-practices/ci-cd/github-actions/index.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -78,10 +78,17 @@ Treat Actions dependencies as executable third-party code. A compromised action
7878
read the repository checkout, inspect runner files, access available secrets, and
7979
use granted token permissions.
8080

81+
When you need the latest safe pin for a workflow ref, start from a readable
82+
version such as `@v4`, then use [Pin workflow refs with
83+
Ratchet](./pinning-with-ratchet.md) to rewrite it to a full SHA and keep the
84+
generated `# ratchet:` constraint comment so later `ratchet update` runs remain
85+
predictable.
86+
8187
✅ **DO**:
8288

8389
- Pin third-party actions and reusable workflows to full-length commit SHAs.
8490
- Keep a readable version comment next to pinned SHAs when useful for maintenance.
91+
- Use Ratchet to upgrade workflow refs and regenerate SHA pins through reviewed pull requests.
8592
- Review the source, ownership, release history, and permissions of new actions.
8693
- Keep Actions dependencies up to date through reviewed pull requests.
8794
- Enable Dependabot updates for GitHub Actions dependencies.
Lines changed: 125 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,125 @@
1+
---
2+
sidebar_position: 2
3+
---
4+
5+
# Pin workflow refs with Ratchet
6+
7+
Use Ratchet to turn human-readable GitHub Actions refs into full commit SHA pins,
8+
then keep those pins current through reviewed pull requests.
9+
10+
## Why this matters
11+
12+
GitHub Action tags such as `@v4` and branch refs such as `@main` are mutable.
13+
Production workflows should commit full-length SHAs instead:
14+
15+
```yaml
16+
- uses: actions/checkout@v4
17+
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
18+
```
19+
20+
That gives you both properties you want:
21+
22+
- a fixed, reviewable revision in the workflow file
23+
- a machine-managed `# ratchet:` comment that records the version constraint Ratchet should keep tracking
24+
25+
## Recommended workflow
26+
27+
When you copy a methodology snippet into a real repository:
28+
29+
1. Replace documentation placeholders such as `@<version-sha> # x.y.z` with one real released tag.
30+
2. Run Ratchet across your workflow files.
31+
3. Commit the rewritten SHA pins.
32+
33+
Example:
34+
35+
```yaml
36+
uses: actions/checkout@v4
37+
uses: hoverkraft-tech/ci-github-common/.github/workflows/semantic-pull-request.yml@v0.37.1
38+
```
39+
40+
For reusable workflow snippets like:
41+
42+
```yaml
43+
uses: hoverkraft-tech/ci-github-container/.github/workflows/prune-pull-requests-images-tags.yml@<version-sha> # x.y.z
44+
```
45+
46+
replace the whole placeholder pair with the actual tag first, for example:
47+
48+
```yaml
49+
uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@0.37.1
50+
```
51+
52+
From the repository root, run exactly the first time:
53+
54+
```sh
55+
ratchet pin .github/workflows/*.yml
56+
```
57+
58+
If Ratchet is not installed locally, run exactly:
59+
60+
```sh
61+
docker run --rm -v "$PWD:$PWD" -w "$PWD" ghcr.io/sethvargo/ratchet:latest pin .github/workflows/*.yml
62+
```
63+
64+
That rewrites the workflow to pinned SHAs and adds Ratchet-managed comments such
65+
as `# ratchet:actions/checkout@v4`.
66+
67+
If you want the final checked-in comment in `# vx.y.z` form instead, start from
68+
exact tags such as `@v7.0.0` rather than floating tags such as `@v7`, then run
69+
exactly:
70+
71+
```sh
72+
find .github/workflows -type f \( -name '*.yml' -o -name '*.yaml' \) -exec perl -0pi -e 's/# ratchet:.*@/# /g' {} +
73+
```
74+
75+
That rewrites a line such as:
76+
77+
```yaml
78+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # ratchet:actions/checkout@v7.0.0
79+
```
80+
81+
to:
82+
83+
```yaml
84+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
85+
```
86+
87+
The same reformat also works for reusable workflow refs that use plain semantic
88+
version tags such as `0.37.1`.
89+
90+
To refresh pins later without changing the tracked version line, run exactly:
91+
92+
```sh
93+
ratchet update .github/workflows/*.yml
94+
```
95+
96+
Or with the container image:
97+
98+
```sh
99+
docker run --rm -v "$PWD:$PWD" -w "$PWD" ghcr.io/sethvargo/ratchet:latest update .github/workflows/*.yml
100+
```
101+
102+
After either command finishes, review the rewritten `uses:` lines and commit the
103+
Ratchet-managed form `@<full-sha> # ratchet:<owner>/<repo>@<constraint>`.
104+
105+
If you run the reformat command above, treat it as a readability-only
106+
post-processing step: the next `ratchet update` will no longer have Ratchet's
107+
constraint metadata to work from. In that mode, use `ratchet upgrade` when you
108+
want a future refresh, then rerun the reformat command.
109+
110+
## Which command to use
111+
112+
- Use `ratchet pin` when you start from human-readable refs such as `@v4` and want the first pinned SHA plus a tracked constraint comment.
113+
- Use `ratchet update` when you want the latest version that still matches the existing Ratchet constraint.
114+
- Use `ratchet upgrade` only when you intentionally want Ratchet to move to the latest available GitHub Actions version and rewrite the tracked constraint comment.
115+
- Use the reformat command above only when you explicitly prefer `# vx.y.z` comments over keeping Ratchet metadata in the file.
116+
117+
## Team rule
118+
119+
Do not commit workflow refs as `@main`, `@master`, or floating tags in production
120+
workflows. Commit the SHA-pinned result that Ratchet generated and keep the
121+
`# ratchet:` comment if you want future `ratchet update` runs to stay reliable.
122+
123+
## References
124+
125+
- [Ratchet upgrade documentation](https://github.com/sethvargo/ratchet#upgrade)

application/docs/methodology/best-practices/devx/continuous-improvement.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -241,6 +241,12 @@ Treat documentation like code:
241241

242242
**Example CI Check:**
243243

244+
:::tip Pin real workflow refs with Ratchet
245+
This example uses readable tags for clarity. In a real repository, run [Pin
246+
workflow refs with Ratchet](../ci-cd/github-actions/pinning-with-ratchet.md)
247+
on your workflow files and commit the rewritten SHA pins.
248+
:::
249+
244250
```yaml
245251
# .github/workflows/docs.yml
246252
name: Documentation

application/docs/methodology/best-practices/devx/performance-cost-awareness.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,12 @@ Set measurable performance targets:
4545

4646
### CI Performance Checks
4747

48+
:::tip Pin real workflow refs with Ratchet
49+
This example uses readable tags for clarity. In a real repository, run [Pin
50+
workflow refs with Ratchet](../ci-cd/github-actions/pinning-with-ratchet.md)
51+
on your workflow files and commit the rewritten SHA pins.
52+
:::
53+
4854
```yaml
4955
# .github/workflows/performance.yml
5056
name: Performance

application/docs/methodology/best-practices/devx/security-compliance.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,13 @@ git secrets --scan-history
7272

7373
Use GitHub secret scanning:
7474

75+
:::tip Pin real workflow refs with Ratchet
76+
This example uses readable refs for clarity. In a real repository, run [Pin
77+
workflow refs with Ratchet](../ci-cd/github-actions/pinning-with-ratchet.md)
78+
on your workflow files and commit the rewritten SHA pins instead of leaving
79+
floating refs in place.
80+
:::
81+
7582
```yaml
7683
# .github/workflows/security.yml
7784
name: Security Scan

application/docs/methodology/golden-paths/application/03-ci-cd/github/cd.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,14 @@ In the reference application shapes, CD is handled by four workflow entrypoints:
1414

1515
Use [Single application](./single-app.md) for the one-image shape and [Multi-application](./multi-app.md) for the multi-service umbrella-chart shape. This page only describes the shared CD contract.
1616

17+
:::tip Pin copied refs with Ratchet
18+
These workflow snippets use placeholders such as `@<version-sha>` because the
19+
exact commit changes over time. In a real repository, replace the placeholder
20+
with the release tag you want to track, run [Pin workflow refs with
21+
Ratchet](../../../../best-practices/ci-cd/github-actions/pinning-with-ratchet.md),
22+
and commit the rewritten SHA pins.
23+
:::
24+
1725
The contract is the same in both repository shapes:
1826

1927
1. Prepare release metadata continuously.

application/docs/methodology/golden-paths/application/03-ci-cd/github/ci.md

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,18 @@ In the reference application shapes, CI is handled by three workflow entrypoints
1313

1414
Use [Single application](./single-app.md) for the one-image shape and [Multi-application](./multi-app.md) for the multi-service umbrella-chart shape. This page only describes the shared CI contract.
1515

16+
:::tip Pin copied refs with Ratchet
17+
These workflow snippets use placeholders such as `@<version-sha>` because the
18+
exact commit changes over time. In a real repository, replace the placeholder
19+
with the release tag you want to track, run [Pin workflow refs with
20+
Ratchet](../../../../best-practices/ci-cd/github-actions/pinning-with-ratchet.md),
21+
and commit the rewritten SHA pins.
22+
23+
For lines shaped like `uses: repo/.github/workflows/file.yml@<version-sha> # x.y.z`,
24+
replace the whole placeholder ref with a real release tag first, for example
25+
`@0.37.1` or `@v7.0.0`, before running Ratchet.
26+
:::
27+
1628
The core pattern is stable across both supported application shapes:
1729

1830
1. Run repository-wide linting first.

application/docs/methodology/golden-paths/application/03-ci-cd/github/index.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ Use another CI/CD platform if you want, but preserve the same contracts:
2222
- Create a GitHub App for your organization with permissions to read/write contents, deployments, issues, pull requests, and `id-token` usage (for OIDC).
2323
- Store the GitHub App client ID in variable `CI_BOT_APP_CLIENT_ID` and the private key in secret `CI_BOT_APP_PRIVATE_KEY`.
2424
- Configure `OCI_REGISTRY` plus environment URLs such as `REVIEW_APPS_URL`, `UAT_URL`, and `PRODUCTION_URL` when you use preview and promoted environments.
25-
- Pin every reusable workflow and action to a released commit SHA (never `@main`). Use the latest release SHA from the repositories' Releases page or `git ls-remote https://github.com/repo/action.git refs/tags/<version>` and record the exact commit in your workflows, annotating the `uses:` line with the human version (e.g., `@<sha> # v0.30.3`).
25+
- Pin every reusable workflow and action to a released commit SHA (never `@main`). The snippets in this section keep placeholders such as `@<version-sha>` because exact SHAs change over time. In a real repository, replace those placeholders with the release tag you want to track, run [Pin workflow refs with Ratchet](../../../../best-practices/ci-cd/github-actions/pinning-with-ratchet.md), and commit the rewritten SHA pins.
2626

2727
## Guides
2828

application/docs/methodology/golden-paths/application/03-ci-cd/github/multi-app.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,14 @@ Use this page when your repository has several deployable services, one Dockerfi
88

99
This is the primary GitHub walkthrough for the multi-application shape. Use [GitHub CI](./ci.md) and [GitHub CD](./cd.md) afterward if you want the reusable workflow contracts without the repository-specific details.
1010

11+
:::tip Pin copied refs with Ratchet
12+
These workflow snippets use placeholders such as `@<version-sha>` because the
13+
exact commit changes over time. In a real repository, replace the placeholder
14+
with the release tag you want to track, run [Pin workflow refs with
15+
Ratchet](../../../../best-practices/ci-cd/github-actions/pinning-with-ratchet.md),
16+
and commit the rewritten SHA pins.
17+
:::
18+
1119
## When this shape fits
1220

1321
- Several deployable services share one repository

0 commit comments

Comments
 (0)