Skip to content

[Security hardening] Pin GitHub Actions by SHA#2441

Merged
mnriem merged 1 commit intogithub:mainfrom
PascalThuet:codex/pin-github-actions
May 4, 2026
Merged

[Security hardening] Pin GitHub Actions by SHA#2441
mnriem merged 1 commit intogithub:mainfrom
PascalThuet:codex/pin-github-actions

Conversation

@PascalThuet
Copy link
Copy Markdown
Contributor

@PascalThuet PascalThuet commented May 2, 2026

Summary

  • Pin GitHub Actions workflow dependencies to immutable commit SHAs.
  • Keep the upstream tag version as a trailing comment for maintainability.

Security context

This reduces supply-chain risk from mutable action tags.

Closes #2439

Validation

  • git diff --check
  • rg -n "uses: [^@]+@v[0-9]" .github/workflows

@PascalThuet PascalThuet marked this pull request as ready for review May 2, 2026 06:40
@PascalThuet PascalThuet requested a review from mnriem as a code owner May 2, 2026 06:40
@PascalThuet PascalThuet marked this pull request as draft May 2, 2026 06:44
@PascalThuet PascalThuet marked this pull request as ready for review May 2, 2026 06:45
@mnriem mnriem requested a review from Copilot May 4, 2026 12:36
Copilot AI reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s GitHub Actions workflows by replacing mutable action tags (e.g., @v4) with immutable commit SHAs, reducing supply-chain risk while preserving human-readable version context via trailing comments.

Changes:

  • Pinned actions/checkout, actions/setup-python, actions/setup-dotnet, Pages actions, CodeQL actions, and actions/stale to specific commit SHAs.
  • Preserved the upstream tag/major version as a trailing # vX comment for maintainability.
  • Minor whitespace cleanup in workflow YAML.
Show a summary per file
File Description
.github/workflows/test.yml Pins checkout and setup-python action refs to SHAs for test/lint jobs.
.github/workflows/stale.yml Pins actions/stale to a SHA.
.github/workflows/release.yml Pins checkout to a SHA for the release workflow.
.github/workflows/release-trigger.yml Pins checkout to a SHA for the release-trigger workflow.
.github/workflows/lint.yml Pins checkout to a SHA for markdown lint workflow.
.github/workflows/docs.yml Pins checkout + Pages-related actions to SHAs for docs deploy.
.github/workflows/codeql.yml Pins checkout and CodeQL init/analyze actions to SHAs.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 7/7 changed files
  • Comments generated: 1

Comment thread .github/workflows/lint.yml
@mnriem mnriem merged commit 09f7657 into github:main May 4, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mnriem mnriem mnriem approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security hardening] Pin remaining GitHub Actions to immutable commit SHAs

3 participants

@PascalThuet @mnriem