Hi Databricks Setup CLI maintainers 👋
I’d like to request that this repository consider adopting immutable releases as part of its release and distribution strategy, in line with GitHub’s supply chain security best practices.
GitHub documents immutable releases here:
👉 https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases
Why this matters
At the moment, releases (or release assets) can technically be modified or replaced after publication. While this may be convenient operationally, it introduces avoidable supply chain risk, especially for a security‑sensitive tool like setup-cli that is commonly used in automation, CI/CD pipelines, and privileged environments.
Immutable releases provide the following security and operational benefits:
-
Protection against release tampering
Ensures binaries and artifacts cannot be altered post‑release, intentionally or accidentally.
-
Stronger auditability and provenance
Consumers can trust that a given version tag always maps to the same bits.
-
Improved defense against supply‑chain attacks
Aligns with modern best practices for secure software distribution.
-
Safer CI/CD consumption
Downstream pipelines relying on release versions gain stronger guarantees.
Suggested approach
Some possible ways to implement this (one or more):
- Publish releases as immutable GitHub releases, avoiding asset replacement or retagging
- Treat releases as append‑only (new version instead of modifying an existing one)
- Optionally combine with:
- Signed release artifacts
- Checksums (SHA256/SHA512)
- Provenance metadata or SBOMs
Context
GitHub explicitly recommends immutable releases as a baseline supply chain security control, particularly for CLI tools and automation dependencies:
https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases
Adopting this would further strengthen the security posture of databricks/setup-cli and increase confidence for enterprise users.
Happy to help discuss or validate an approach if this is something the team is open to exploring. Thanks for considering!
Hi Databricks Setup CLI maintainers 👋
I’d like to request that this repository consider adopting immutable releases as part of its release and distribution strategy, in line with GitHub’s supply chain security best practices.
GitHub documents immutable releases here:
👉 https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases
Why this matters
At the moment, releases (or release assets) can technically be modified or replaced after publication. While this may be convenient operationally, it introduces avoidable supply chain risk, especially for a security‑sensitive tool like setup-cli that is commonly used in automation, CI/CD pipelines, and privileged environments.
Immutable releases provide the following security and operational benefits:
Protection against release tampering
Ensures binaries and artifacts cannot be altered post‑release, intentionally or accidentally.
Stronger auditability and provenance
Consumers can trust that a given version tag always maps to the same bits.
Improved defense against supply‑chain attacks
Aligns with modern best practices for secure software distribution.
Safer CI/CD consumption
Downstream pipelines relying on release versions gain stronger guarantees.
Suggested approach
Some possible ways to implement this (one or more):
Context
GitHub explicitly recommends immutable releases as a baseline supply chain security control, particularly for CLI tools and automation dependencies:
https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases
Adopting this would further strengthen the security posture of databricks/setup-cli and increase confidence for enterprise users.
Happy to help discuss or validate an approach if this is something the team is open to exploring. Thanks for considering!