Skip to content

Pin github actions version packages with sha#3974

Open
Iznogohul wants to merge 1 commit into
bluerobotics:masterfrom
Iznogohul:chore/harden-ci-actions
Open

Pin github actions version packages with sha#3974
Iznogohul wants to merge 1 commit into
bluerobotics:masterfrom
Iznogohul:chore/harden-ci-actions

Conversation

@Iznogohul

@Iznogohul Iznogohul commented Jul 4, 2026

Copy link
Copy Markdown

Description

Prior to this commit all Github Actions packages looked for the current latest major release of package.This could potentially lead to the execution of malicious code if any package maintainer got compromised and new version tags got release or current ones got re-uploaded. So by pinning each and every one this gets eliminated

Changed

  • Replaced all action references from the format: <action_name>@ to: <action_name>@

Notes:

  • Used latest patch available version of each Github action and not the latest available.
  • claude-pr-review uses actions/checkout@v4 so this has been changed to the latest v4 version and not the latest available version of actions/checkout.This was done to ensure that nothing will break and the same actions will continue to run.
  • Not sure if anthropics/claude-code-action needs to pinned down since they release ~1-2 versions each day it might need to access latest features of claude action

Summary by Sourcery

Pin GitHub Actions workflow dependencies to specific commit SHAs for more deterministic and secure CI runs.

Build:

  • Update all GitHub Actions and third-party actions in workflows to use pinned commit SHAs instead of floating version tags.

CI:

  • Align CI workflows (test-and-deploy, PR review, block AI commits, duplicate issue detection, submodule sync) to use SHA-pinned versions of checkout, setup, Docker, AWS, artifact upload, and Anthropic actions for reproducible pipeline executions.

Instead of using <action_name>@<version> I have changed all of the to be in the format of <action_name>@<sha256> of the latest current available version of this tag since the github actions have already run in the master blueOS repo so no new versions are getting introduced they are just getting pinned down
@cursor

cursor Bot commented Jul 4, 2026

Copy link
Copy Markdown

Bugbot is not enabled for this team, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've reviewed your changes and they look great!


Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants