Summary
Taskfiles currently use latest for Go tool versions and GitHub Actions workflows should also ensure all tools are pinned to specific versions. Using latest is a supply chain risk — a compromised upstream release would silently flow into CI and developer environments.
Scope
Taskfile Go tools (.taskfiles/golang.Taskfile.yml)
All entries in GO_VERSION map currently set to latest:
dlv, gopls, deadcode, golangciLint, gotestsum, govulncheck, goimports, gofumpt, goTestCoverage, gocoverCobertura, goreleaser
Other Taskfiles
Audit all .taskfiles/*.yml for any other tools installed with unpinned versions.
Recommendation
- Pin each tool to its current latest stable version
- Use Dependabot or Renovate to manage version bumps going forward
- Document the pinning convention so new tools are added with explicit versions
Why this matters
- Supply chain security: Prevents silent injection of compromised releases
- Reproducibility: Ensures consistent builds across CI and local dev
- Auditability: Version changes are tracked in git history via explicit PRs
Summary
Taskfiles currently use
latestfor Go tool versions and GitHub Actions workflows should also ensure all tools are pinned to specific versions. Usinglatestis a supply chain risk — a compromised upstream release would silently flow into CI and developer environments.Scope
Taskfile Go tools (
.taskfiles/golang.Taskfile.yml)All entries in
GO_VERSIONmap currently set tolatest:dlv,gopls,deadcode,golangciLint,gotestsum,govulncheck,goimports,gofumpt,goTestCoverage,gocoverCobertura,goreleaserOther Taskfiles
Audit all
.taskfiles/*.ymlfor any other tools installed with unpinned versions.Recommendation
Why this matters