Skip to content

ci: pin GitHub Actions to commit SHAs for security#124

Merged
Douglas (dacoburn) merged 1 commit intomainfrom
doug/pin-github-actions
Oct 24, 2025
Merged

ci: pin GitHub Actions to commit SHAs for security#124
Douglas (dacoburn) merged 1 commit intomainfrom
doug/pin-github-actions

Conversation

@dacoburn
Copy link
Copy Markdown
Contributor

@dacoburn Douglas (dacoburn) commented Oct 24, 2025

Root Cause

We implemented a requirement for Github Actions to pinned to commit hashes

Fix

Pin all GitHub Actions references to specific commit SHAs instead of version tags to improve security and reproducibility:

  • actions/checkout@v4 → eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
  • actions/setup-python@v5 → f677139bbe7f9c59b41e40162b753c062f5d49a3
  • pypa/gh-action-pypi-publish@v1.12.4 → ab69e431e9c9f48a3310be0a56527c679f56e04d
  • actions/github-script@v7 → 60a0d83039c74a4aee543508d2ffcb1c3799cdea
  • docker/setup-qemu-action@v3 → 49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
  • docker/setup-buildx-action@v3 → c47758b77c9736f4b2ef4073d4d51994fabfe349
  • docker/login-action@v3 → 9780b0c442fbb1117ed29e0efdff1e18412f7567
  • docker/build-push-action@v5 → 4f58ea79222b3b9dc2c8bbdd6debcef730109a75

This follows GitHub security best practices by ensuring exact versions are used and preventing potential supply chain attacks from compromised tags.

Public Changelog

N/A

@dacoburn
ci: pin GitHub Actions to commit SHAs for security
e442bef 
Pin all GitHub Actions references to specific commit SHAs instead of version tags to improve security and reproducibility:
- actions/checkout@v4 → eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
- actions/setup-python@v5 → f677139bbe7f9c59b41e40162b753c062f5d49a3
- pypa/gh-action-pypi-publish@v1.12.4 → ab69e431e9c9f48a3310be0a56527c679f56e04d
- actions/github-script@v7 → 60a0d83039c74a4aee543508d2ffcb1c3799cdea
- docker/setup-qemu-action@v3 → 49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
- docker/setup-buildx-action@v3 → c47758b77c9736f4b2ef4073d4d51994fabfe349
- docker/login-action@v3 → 9780b0c442fbb1117ed29e0efdff1e18412f7567
- docker/build-push-action@v5 → 4f58ea79222b3b9dc2c8bbdd6debcef730109a75

This follows GitHub security best practices by ensuring exact versions are used and preventing potential supply chain attacks from compromised tags.
@dacoburn Douglas (dacoburn) requested a review from a team as a code owner October 24, 2025 01:29
@dacoburn Douglas (dacoburn) requested review from Alex (alxhotel) and Jeppe Fredsgaard Blaabjerg (jfblaa) and removed request for a team October 24, 2025 01:29
@socket-security-staging
Copy link
Copy Markdown

socket-security-staging bot commented Oct 24, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedgithub/​actions/​checkout@​eef61447b9ff4aafe5dcd4e0bbf5d482be7e787173100100100100
Addedgithub/​actions/​setup-python@​f677139bbe7f9c59b41e40162b753c062f5d49a39210010010080
Addedgithub/​docker/​login-action@​9780b0c442fbb1117ed29e0efdff1e18412f756799100100100100
Addedgithub/​docker/​setup-buildx-action@​c47758b77c9736f4b2ef4073d4d51994fabfe34999100100100100
Addedgithub/​docker/​build-push-action@​4f58ea79222b3b9dc2c8bbdd6debcef730109a7599100100100100
Addedgithub/​docker/​setup-qemu-action@​49b3bc8e6bdd4a60e6116a5414239cba5943d3cf99100100100100
Updatedgithub/​actions/​github-script@​f28e40c7f34bde8b3046d885e986cb6290c5673b ⏵ 60a0d83039c74a4aee543508d2ffcb1c3799cdea100100100100100
Updatedgithub/​pypa/​gh-action-pypi-publish@​7f25271a4aa483500f742f9492b2ab5648d61011 ⏵ ab69e431e9c9f48a3310be0a56527c679f56e04d100 +71100100100100

View full report

@socket-security
Copy link
Copy Markdown

socket-security bot commented Oct 24, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedgithub/​actions/​checkout@​eef61447b9ff4aafe5dcd4e0bbf5d482be7e787173100100100100
Addedgithub/​actions/​setup-python@​f677139bbe7f9c59b41e40162b753c062f5d49a39210010010080
Addedgithub/​docker/​login-action@​9780b0c442fbb1117ed29e0efdff1e18412f756799100100100100
Addedgithub/​docker/​setup-buildx-action@​c47758b77c9736f4b2ef4073d4d51994fabfe34999100100100100
Addedgithub/​docker/​build-push-action@​4f58ea79222b3b9dc2c8bbdd6debcef730109a7599100100100100
Addedgithub/​docker/​setup-qemu-action@​49b3bc8e6bdd4a60e6116a5414239cba5943d3cf99100100100100
Updatedgithub/​actions/​github-script@​f28e40c7f34bde8b3046d885e986cb6290c5673b ⏵ 60a0d83039c74a4aee543508d2ffcb1c3799cdea100 +1100100100100
Updatedgithub/​pypa/​gh-action-pypi-publish@​7f25271a4aa483500f742f9492b2ab5648d61011 ⏵ ab69e431e9c9f48a3310be0a56527c679f56e04d100 +71100100100100

View full report

@github-actions
Copy link
Copy Markdown

github-actions bot commented Oct 24, 2025

🚀 Preview package published!

Install with:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.2.12.dev1

Docker image: socketdev/cli:pr-124

@dacoburn Douglas (dacoburn) merged commit ee8b836 into main Oct 24, 2025
6 checks passed
@dacoburn Douglas (dacoburn) deleted the doug/pin-github-actions branch October 24, 2025 01:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tmpvar Elijah Insua (tmpvar) tmpvar approved these changes

@alxhotel Alex (alxhotel) Awaiting requested review from alxhotel alxhotel was automatically assigned from SocketDev/eng

@jfblaa Jeppe Fredsgaard Blaabjerg (jfblaa) Awaiting requested review from jfblaa jfblaa was automatically assigned from SocketDev/eng

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dacoburn @tmpvar