-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] install specific version of the Doppler CLI #388
Comments
Sorry for the trouble here. We explicitly try to introduce as few breaking changes as possible. In this case, v3.57.0 had a bug that resulted in the failures you were seeing. We rolled this change back in v3.57.1 so that we could properly investigate and fix it. I would expect monorepo support to be reintroduced within the next week. Once re-added, it'll be backwards compatible with existing configs. |
Even if you try not to introduce breaking changes, it seems that it does happen. |
I am a bit concerned about the safety and the reliability of this tool.
How can I defend my application from supply chain attacks if I can't force using a specific version ? PS: do you have any news on the re-introduction of monorepo support? |
Thank you for your note. I can understand your curiosity given that the versions have the same changelog notes. We were moving our release infrastructure from GitHub classic Personal Access Tokens to fine-grained tokens. This took a couple tries to get the permissions right, given that fine-grained tokens have far fewer perms. We also try to never unpublish releases, hence the multiple versions and confusing changelog. We believe that the best way to ensure the security of the CLI is for customers to always be on the latest version. This follows the approach taken by Google Chrome, SaaS solutions, and even your OS. Remaining on an outdated version exposes you to vulnerabilities that may have been fixed in the latest version of our CLI. We don't currently have any plans to change this behavior. |
Describe the bug
Version v3.57.0 introduced a bug that forced us to change the doppler config because it made our CI fail (thus blocking all PRs).
We had to hotfix the config and we adopted the new monorepo feature introduced by this release.
Shortly after you released a v3.57.1 that removed this feature and made our CI fail again.
How can we force our CI to use the v3.57.0 and not the latest version?
We are using
dopplerhq/cli-action@v2
and it doesn't seem to have an option to install a specific version of the doppler CLI.That could be really useful, particularly if you frequently introduce breaking changes
The text was updated successfully, but these errors were encountered: