Skip to content

chore: pin GitHub Actions to commit SHAs#72

Open
BGos87 wants to merge 1 commit into
masterfrom
chore/pin-github-actions-20260512
Open

chore: pin GitHub Actions to commit SHAs#72
BGos87 wants to merge 1 commit into
masterfrom
chore/pin-github-actions-20260512

Conversation

@BGos87

@BGos87 BGos87 commented May 12, 2026

Copy link
Copy Markdown

Summary

Pin every uses: ref in .github/workflows/ (and any composite action
files) to a full 40-character commit SHA, with the original tag
preserved as a # vX comment.

Why

Tags and branches are mutable, so a compromised action can replace what
runs in our pipelines without changing the tag we reference. Pinning to
a SHA closes that supply-chain vector. See GitHub's hardening guide:
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions.

Deadline

TechOps is enforcing SHA-pinned GitHub Actions across the org by
June 8, 2026.
Merging this PR brings the repo into compliance ahead
of the cut-over; after that date workflows that still reference
mutable tags or branches will be blocked from running.

How

Generated mechanically with pinact run.
No version bumps were applied (strict pin); follow-up upgrades can come
from Renovate or a separate pinact run -u PR.

Test plan

  • CI green on this branch

Note

Low Risk
Low risk: workflow-only change that pins existing GitHub Actions to immutable SHAs; behavior should be unchanged aside from relying on those exact action revisions.

Overview
Supply-chain hardening for GitHub Actions. Updates .github/workflows/ci.yml and .github/workflows/codeql-analysis.yml to replace mutable @v1/@v2 action tags with full 40-character commit SHAs, preserving the prior versions as comments (e.g., # v2.7.0, # v1.1.39).

No job logic changes are introduced; this only locks the workflows to the exact action revisions for checkout, setup-node, and codeql-action steps.

Reviewed by Cursor Bugbot for commit b1a2ff6. Bugbot is set up for automated code reviews on this repo. Configure here.

Pin every `uses:` ref in .github/workflows and composite actions to a
full 40-character commit SHA, with the original tag preserved as a
comment, e.g.

    uses: actions/checkout@11bd719 # v4

Tags and branches are mutable; commit SHAs are not. Pinning to a SHA
closes a supply-chain vector where a compromised action could replace
what runs in CI without changing the tag we reference.

Generated mechanically with `pinact run`
(https://github.com/suzuki-shunsuke/pinact). No version bumps were
applied (strict pin).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant