Skip to content

Pin GitHub Actions in release workflow to commit SHAs#87

Open
HodaSalim wants to merge 1 commit into
mainfrom
fix/pin-github-actions
Open

Pin GitHub Actions in release workflow to commit SHAs#87
HodaSalim wants to merge 1 commit into
mainfrom
fix/pin-github-actions

Conversation

@HodaSalim

@HodaSalim HodaSalim commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

  • The procore-oss org enforces that all GitHub Actions must be pinned to a full-length commit SHA (a supply-chain security measure). The Release workflow used mutable tags (@v4, @v44, @v1, @v2) and was therefore blocked on every push to main, failing in ~7s before doing any work.
  • This is why gem 1.1.0 was never publishedlib/sift/version.rb on main reads 1.1.0, but RubyGems' latest procore-sift is still 1.0.0.
  • Pins each action to the exact commit its tag currently points to, matching the procore-oss/blueprinter release workflow. No behavior change beyond making the references immutable.
Action Pinned SHA
actions/checkout de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
tj-actions/changed-files 934b2d2c7e653bb8c968afed5a0428617f09aa24 # v44
ruby/setup-ruby 9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1
fac/ruby-gem-setup-credentials-action 5f62d5f2f56a11c7422a92f81fbb29af01e1c00f # v2
fac/ruby-gem-push-action b2b56ea12bd8eb96b1add0befca8a9726b652078 # v2

Test plan

  • Confirm the Release workflow no longer fails the action-pinning check after this merges.
  • Note: merging this alone will not publish 1.1.0 (no version.rb change in this push). Publish 1.1.0 by manually running the workflow: gh workflow run release.yaml --ref main.

Made with Cursor

@HodaSalim HodaSalim requested a review from a team as a code owner June 30, 2026 17:58
@github-actions github-actions Bot added the repo label Jun 30, 2026
The procore-oss org requires all actions to be pinned to a full-length
commit SHA. The Release workflow was failing this check on every push to
main, which is why gem version 1.1.0 was never published. Pin each action
to the commit its tag currently points to, matching the procore-oss/blueprinter
release workflow.

Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Hoda Salim <hoda.s.salim@gmail.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@HodaSalim HodaSalim force-pushed the fix/pin-github-actions branch from 34ec509 to e7faa5a Compare June 30, 2026 18:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants