Add guidance on SHA vs tags in dependencies

dims · dims · commit c7d7335957a1 · 2021-06-10T14:37:33.000-04:00
Signed-off-by: Davanum Srinivas &lt;davanum@gmail.com&gt;
diff --git a/contributors/devel/sig-architecture/vendor.md b/contributors/devel/sig-architecture/vendor.md
@@ -34,6 +34,16 @@ The `go.mod` file in the root of `k8s.io/kubernetes` describes dependencies usin
 * `require` directives list the preferred version of dependencies (this is auto-updated by go tooling to the maximum preferred version of the module)
 * `replace` directives pin to specific tags or commits
 
+## Dependency versions
+
+As a project we prefer that all entries in `go.mod` should be tags in their
+respective repositories. There may be exceptions that will be up to the
+dependency approvers to approve. If there are issues with go mod tooling itself
+then there has to be explicit comment (trailing `// comment`) with details on
+exact tag/release that this SHA corresponds to. Also please ensure tracking
+isssues are open to ensure these SHA(s) are cleaned up over time and switched
+over to tags.
+
 ## Adding or updating a dependency
 
 The most common things people need to do with deps are add and update them.
